CVE-2023-38890

HIGH

Online Shopping Portal Project 3.1 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2023-38890. PoCs published by Tagoletta, akshadjoshi.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated remote code execution vulnerability in Online Shopping Portal 3.1 by leveraging SQL injection for authentication bypass and file upload for PHP shell deployment.

Description

Online Shopping Portal Project 3.1 allows remote attackers to execute arbitrary SQL commands/queries via the login form, leading to unauthorized access and potential data manipulation. This vulnerability arises due to insufficient validation of user-supplied input in the username field, enabling SQL Injection attacks.

Exploits (3)

exploitdb WORKING POC

by Tagoletta · pythonwebappsphp

https://www.exploit-db.com/exploits/50029

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated remote code execution vulnerability in Online Shopping Portal 3.1 by leveraging SQL injection for authentication bypass and file upload for PHP shell deployment.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Online Shopping Portal 3.1

No auth needed

Prerequisites: Network access to the target application · File upload functionality enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Tagoletta · poc

https://github.com/Tagoletta/CVE-2023-38890

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-38890, which targets an SQL injection vulnerability in Online Shopping Portal 3.1 to achieve unauthenticated remote code execution. The exploit leverages SQLi for authentication bypass and file upload to deploy a PHP web shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Online Shopping Portal 3.1

No auth needed

Prerequisites: Target URL of vulnerable Online Shopping Portal 3.1 instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WRITEUP

by akshadjoshi · poc

https://github.com/akshadjoshi/CVE-2023-38890

View Code ZIP pw:eip

This repository provides a detailed technical description and steps to reproduce a time-based blind SQL injection vulnerability in Online Shopping Portal Project V3.1. It includes a specific payload and instructions for exploiting the vulnerability via the login form.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Online Shopping Portal Project V3.1

No auth needed

Prerequisites: Access to the login form · Burp Suite or similar tool to capture and modify requests

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources

https://tagmachan.com/online-shopping-portal-3-1-sql-injection-to-remote-code-execution-unauthenticated.tagox

Exploit, Third Party Advisory

https://github.com/akshadjoshi/CVE-2023-38890

Exploit, Third Party Advisory

https://www.exploit-db.com/exploits/50029

Scores

CVSS v3 8.8

EPSS 0.0098

EPSS Percentile 57.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

phpgurukul/online_shopping_portal 3.1

Published Aug 18, 2023

Tracked Since Feb 18, 2026