CVE-2023-36284
published 2023-06-23CVE-2023-36284: An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to…
PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.16%
86.4th percentile
An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webkul | qloapps | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/quick-order?date_from=2023-06-12%2000:00:00&date_to=2023-06-13%2000:00:00&deleteFromOrderLine=1&id_product=(select(0)from(select(sleep(5)))v)↗
- →Detect time-based SQL injection attempts against QloApps by monitoring GET requests to /quick-order with a sleep() payload in the id_product, date_from, or date_to parameters; a response duration >= 5 seconds indicates successful injection. ↗
- →Fingerprint vulnerable QloApps instances by checking for the string 'QloApps' (case-insensitive) in the HTTP response body of the root path GET /. ↗
- →Use FOFA queries 'title="QloApps"' or 'title="qloapps"' to identify internet-exposed QloApps instances for proactive scanning. ↗
- →Confirm exploitation by checking that the response body contains the string 'Guest Information' alongside a response duration >= 5 seconds. ↗
- ·The injection is unauthenticated and targets GET parameters date_from, date_to, and id_product on the /quick-order endpoint; no session or authentication token is required to exploit. ↗
- ·The Nuclei template uses a 20-second HTTP timeout to accommodate the sleep(5) payload; WAF or network-level timeout rules shorter than this may suppress detection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
QloApps 1.6.0 - SQL Injection
nuclei·CVSS 7.5
CVE-2023-36284 [HIGH] QloApps 1.6.0 - SQL Injection
QloApps 1.6.0 - SQL Injection
An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameters date_from, date_to, and id_product allows a remote attacker to retrieve the contents of an entire database.
Template:
id: CVE-2023-36284
info:
name: QloApps 1.6.0 - SQL Injection
author: ritikchaddha
severity: high
description: |
An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameters date_from, date_to, and id_product allows a remote attacker to retrieve the contents of an entire database.
impact: |
Successful exploitation could lead to unauthorized access to sensitive data.
remediation: |
Apply the vendor-supplied patch or upgrade to a non-vulnerable version.
reference:
- https://flashy-lemonade-192.notion.site/Time-Based-SQL-
2023-06-23
Published