s-a-zhd Ecommerce Website SQL Injection Vulnerability in shop.php

A critical SQL injection vulnerability has been identified in the s-a-zhd Ecommerce Website using PHP version 1.0. The issue arises in the file shop.php, where the p_cat parameter can be manipulated to execute arbitrary SQL commands. This vulnerability can be exploited remotely, potentially leading to unauthorized access to sensitive user data, database leaks, and exposure of admin panel credentials.

Impact

Exploitation of this vulnerability allows for unauthorized SQL command execution, leading to data breaches, data manipulation, authentication bypass, and in some cases, remote code execution or denial-of-service conditions.

Reproduction

The vulnerability can be reproduced by sending a request to shop.php with a crafted p_cat parameter that includes SQL injection payloads. For example, using SQLMap to automate the exploitation process can successfully extract database information, demonstrating the vulnerability.

Remediation

To address this vulnerability, it is recommended to implement parameterized queries and input validation to prevent SQL injection. Additionally, conducting regular security audits and using web application firewalls can help mitigate the risks.