Smartshop 1 SQL Injection via search.php

Vulnerability

Smartshop version 1 (up to and including 1.0) contains a time-based blind SQL injection vulnerability in the search.php file. The searched parameter from the GET request is directly concatenated into an SQL query without sanitization: $queryproduct = "SELECT SQL_CALC_FOUND_ROWS id, name, price, id_picture, thumbnail FROM product WHERE name LIKE '%{$word}%' ORDER BY id DESC LIMIT {$start}, 16";. This allows an unauthenticated attacker to inject arbitrary SQL commands. The same code pattern also affects category.php (parameter id, union-based) and product.php (parameter id, union-based). [1][2]

Exploitation

An attacker with network access to the application can send a crafted GET request to search.php with a malicious payload in the searched parameter. For example, appending ' AND SLEEP(10)%23 triggers a 10-second delay, confirming the injection. The attacker does not require authentication or any special privileges. By using time-based blind techniques, the attacker can systematically extract database contents by observing response delays. [1]

Impact

Successful exploitation allows an unauthenticated attacker to read arbitrary data from the database, including product details, user credentials, and other system information. The CVSS v4 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N) indicates high confidentiality impact with low integrity impact (limited ability to modify data). The attacker gains the ability to extract sensitive information but cannot directly execute commands on the server. [2]

Mitigation

No official patch has been released for Smartshop 1; the project appears to be unmaintained (last updated February 2017). Users should upgrade to a patched version if available. As a workaround, implement input validation and parameterized queries (prepared statements) for all user-supplied input. Additionally, web application firewalls (WAFs) can help detect and block SQL injection attempts. [1][3]