Ashop Shopping Cart Software Time-Based Blind SQL Injection Vulnerability

A time-based blind SQL injection vulnerability has been identified in Ashop Shopping Cart Software. This vulnerability allows attackers to manipulate database queries by sending crafted SQL payloads through the blacklistitemid parameter in POST requests to the admin/bannedcustomers.php endpoint. Exploitation of this vulnerability enables the extraction of sensitive database information by using SLEEP functions to create a time delay, indicating successful payload execution.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where attackers can manipulate SQL queries and potentially extract sensitive information from the database.

Reproduction

To reproduce this vulnerability, send a POST request to the admin/bannedcustomers.php endpoint with the blacklistitemid parameter. Include a crafted SQL payload that utilizes the SLEEP function to create a delay in the response, indicating successful exploitation.