Primary

Context

Smartshop SQL Injection Vulnerability in Search.php

Vulnerability

A time-based blind SQL injection vulnerability has been identified in Smartshop version 1. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'searched' parameter in search.php. Exploitation involves sending GET requests with malicious SQL payloads, such as SLEEP commands, which can be used to extract sensitive database information, including product details and system data.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate SQL queries and potentially extract sensitive information from the database.

Reproduction

To reproduce this vulnerability, send a GET request to search.php with the 'searched' parameter. Include a payload that exploits the SQL injection, such as a SLEEP command. The application will pause for the duration specified in the SLEEP command, indicating that the SQL injection was successful.

Added: May 26, 2026, 9:21 PM

Updated: May 26, 2026, 9:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

8.7

remediation

0.0

relevance

9.2

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

8.7

remediation

0.0

relevance

9.2

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Smartshop SQL Injection Vulnerability in Search.php

Vulnerability

Impact

Reproduction

Affected Products

Smartshop

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating