Lively cart SQL Injection vulnerability

vendor:

Livelycart

by:

Manish Kishan Tanwar AKA error1046

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Livelycart

Affected Version From: 1.2.2000

Affected Version To: 1.2.2000

Patch Exists: NO

Related CWE: N/A

CPE: a:codecanyon:livelycart

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

Lively cart SQL Injection vulnerability

Lively cart is shping cart script and search parameter(search_query) in not filtering user supplied data and hence affected from SQL injection vulnerability.

Mitigation:

Input validation and sanitization should be done for user supplied data.

Source

Exploit-DB raw data:

##################################################################################################
#Exploit Title : Lively cart SQL Injection vulnerability
#Author        : Manish Kishan Tanwar AKA error1046
#Vendor Link   : http://codecanyon.net/item/livelycart-a-jquery-php-store-shop/5531393
#Date          : 18/06/2015
#Love to       : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi
#Discovered At : Indishell Lab
##################################################################################################

////////////////////////
/// Overview:
////////////////////////


Lively cart is shping cart script and search parameter(search_query) in not filtering user supplied data and hence affected from SQL injection vulnerability 

///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to search_query GET parameter 

////////////////
///  POC   ////
///////////////


http://SERVER/1.2.0/product/search?search_query='


                             --==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, 
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
#############################################################################################
                             --==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik)
                       --==[[ Special Fuck goes to ]]==--
                            <3  suriya Cyber Tyson <3