Smartshop 1 SQL Injection via product.php id Parameter

Vulnerability

Smartshop 1 (release version 1.0) contains a SQL injection vulnerability in the product.php endpoint. The $_GET['id'] parameter is directly interpolated into a SQL query without sanitization or parameterization, as shown in the vulnerable code: $id_product = $_GET['id']; ... WHERE id = '{$id_product}'. This affects all instances of Smartshop up to and including version 1.0 [1][2].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a GET request to product.php with a crafted id parameter. A union-based SQL injection payload, such as ' UNION SELECT 1,user(),database(),4,5,6%23, is used to append additional query results. No authentication or special network position is required; the web application must be publicly accessible [1][2].

Impact

Successful exploitation allows the attacker to extract arbitrary data from the database, including usernames (via user()) and database names (via database()). The vulnerability can be escalated to retrieve the full database schema and contents, leading to information disclosure. The attacker does not gain direct write access or remote code execution from this vector [1][2].

Mitigation

No official patch or fixed version has been released by the vendor; the project appears to be no longer maintained. The recommended mitigation is to rewrite the affected queries using prepared statements or parameterized queries. Until a fix is applied, administrators should restrict access to the application or use a web application firewall (WAF) to block SQL injection patterns [1][2][3].