CVE-2019-25391

The Ashop Shopping Cart Software is vulnerable to a time-based blind SQL injection in the admin/bannedcustomers.php endpoint. The blacklistitemid parameter is not properly sanitized, allowing an attacker to inject malicious SQL queries. By using SLEEP functions, the attacker can cause time delays that indicate successful injection, enabling data extraction without direct output [1].

Exploitation involves sending a POST request to the admin interface with a crafted payload in the blacklistitemid parameter. The PoC demonstrates a payload that uses a SLEEP(5) function to test for vulnerability. The attack requires no authentication according to the disclosed information, though the endpoint is in the admin directory [1].

Successful exploitation allows an attacker to extract sensitive database information, such as user credentials and other confidential data, by inferring values through response delays. This blind SQL injection technique can be automated to retrieve entire database schemas and contents.

Mitigation includes implementing proper input validation, using parameterized queries, and restricting access to admin pages. As of the disclosure date, no official patch was mentioned, and the vendor should address this issue promptly.