Ashop Shopping Cart Software SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Ashop Shopping Cart Software, specifically in the latest version. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'shop' parameter. Exploitation involves sending GET requests to 'index.php' with crafted 'shop' values, using UNION-based SQL injection to extract sensitive information from the database.

Impact

Exploitation of this vulnerability allows for unauthorized database access, potentially leading to the extraction of sensitive information.

Reproduction

To reproduce this vulnerability, send a GET request to 'index.php' with the 'shop' parameter set to a crafted SQL injection payload. The payload should exploit UNION-based SQL injection to retrieve database information. The injection can be verified by checking the response for the concatenated output of the injected SQL, indicating successful exploitation.