CVE-2014-5104

ol-commerce 2.1.1 - SQL Injection via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2014-5104. PoCs published by AtT4CKxT3rR0r1ST.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in ol-commerce 2.1.1 via the 'country' parameter in the account creation process. The payload extracts database and version information using a time-based blind SQLi technique.

Description

Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) a_country parameter in a process action to affiliate_signup.php, (2) affiliate_banner_id parameter to affiliate_show_banner.php, (3) country parameter in a process action to create_account.php, or (4) entry_country_id parameter in an edit action to admin/create_account.php.

Exploits (4)

exploitdb WORKING POC VERIFIED
by AtT4CKxT3rR0r1ST · textwebappsphp
https://www.exploit-db.com/exploits/39345

This exploit demonstrates a SQL injection vulnerability in ol-commerce 2.1.1 via the 'country' parameter in the account creation process. The payload extracts database and version information using a time-based blind SQLi technique.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ol-commerce 2.1.1
No auth needed
Prerequisites: Access to the target application's create_account.php endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by AtT4CKxT3rR0r1ST · textwebappsphp
https://www.exploit-db.com/exploits/39343

This exploit demonstrates a SQL injection vulnerability in ol-commerce 2.1.1 via the 'a_country' parameter in the affiliate signup process. The PoC includes a crafted HTTP POST request with a malicious payload to extract sensitive data from the 'customers' table.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: ol-commerce 2.1.1
No auth needed
Prerequisites: Access to the affiliate signup page · Network connectivity to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by AtT4CKxT3rR0r1ST · textwebappsphp
https://www.exploit-db.com/exploits/39344

The provided text describes SQL injection and XSS vulnerabilities in ol-commerce 2.1.1, with an example URL demonstrating the SQL injection point. No actual exploit code is included.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: ol-commerce 2.1.1
No auth needed
Prerequisites: Access to the vulnerable application URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by AtT4CKxT3rR0r1ST · textwebappsphp
https://www.exploit-db.com/exploits/39346

This exploit demonstrates a SQL injection vulnerability in ol-commerce 2.1.1 via the `entry_country_id` parameter in the admin create_account.php endpoint. The PoC includes a crafted payload to extract database information and version details.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ol-commerce 2.1.1
Auth required
Prerequisites: Access to the admin panel · Valid session cookie
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

EPSS 0.0214
EPSS Percentile 79.6%

Details

CWE
CWE-89
Status published
Products (1)
ol-commerce_project/ol-commerce 2.1.1
Published Jul 28, 2014
Tracked Since Feb 18, 2026