CVE-2014-10033

osCommerce Online Merchant < 2.3.3.4 - Authenticated SQL Injection via zID Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-10033. PoCs published by Ahmed Aboul-Ela.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in osCommerce v2.x, specifically in the 'geo_zones.php' file where the 'zID' parameter is directly concatenated into an SQL query without sanitization. The PoC includes a payload to dump admin credentials and a hybrid attack combining SQLi with XSS to exfiltrate data.

Description

SQL injection vulnerability in the update_zone function in catalog/admin/geo_zones.php in osCommerce Online Merchant 2.3.3.4 and earlier allows remote administrators to execute arbitrary SQL commands via the zID parameter in a list action.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Ahmed Aboul-Ela · textwebappsphp

https://www.exploit-db.com/exploits/31515

View Code ZIP pw:eip

This exploit demonstrates a SQL injection vulnerability in osCommerce v2.x, specifically in the 'geo_zones.php' file where the 'zID' parameter is directly concatenated into an SQL query without sanitization. The PoC includes a payload to dump admin credentials and a hybrid attack combining SQLi with XSS to exfiltrate data.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: osCommerce v2.3.3.4 and prior versions

Auth required

Prerequisites: Authenticated admin account · Access to the vulnerable 'geo_zones.php' endpoint

MITRE ATT&CK