.. / CVE-2023-36284

Exploit for QloApps 1.6.0 - SQL Injection (CVE-2023-36284)

Description:

An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameters date_from, date_to, and id_product allows a remote attacker to retrieve the contents of an entire database.

Nuclei Template

View the template here CVE-2023-36284.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2023/CVE-2023-36284.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2023-36284
https://flashy-lemonade-192.notion.site/Time-Based-SQL-injection-in-QloApps-1-6-0-be3ed1bdaf784a77b45dc6898a2de17e