Share
## https://sploitus.com/exploit?id=D26826E2-D23B-5086-A1D6-8C2AAA5DD217
# Vulnerable Mall (Next.js Red/Blue Team Training Target)

**Vulnerable Mall** is an e-commerce simulation lab built using **Next.js 15.0.0 (App Router)**. It looks and functions like a normal online store, but it intentionally contains numerous common high-risk web vulnerabilities. This project is designed for **Red/Blue Team training**, **CTF exercises**, and **web security education**. > āš ļø **Note**: This project specifically uses **Next.js 15.0.0** with known vulnerabilities (CVE-2025-66478). Do not reuse this project’s dependencies in a production environment.

## šŸš€ Quick Start

### 1. Environment Requirements
* Node.js 18+
* npm or yarn
* **Core Stack**: Next.js 15.0.0, React 19, SQLite3

### 2. Install Dependencies
```bash
npm install
```

### 3. Initialize Database
The project uses SQLite databases. No additional database services are required.
```bash
node scripts/init-db.js
```
This command will create/reset the `yanlian.db` database and populate it with test data.

### 4. Start Server
```bash
npm run dev
```
Visit: [http://localhost:3000](http://localhost:3000)

---

## šŸŽÆ Features and Scenarios of the Lab

### User-Side Features
* **Registration/Login**: Supports account registration (with a trial balance). Authentication is based on cookies. *   **Product Search**: Product display on the homepage, with search functionality. *   **Product Details**: View product details and comment posting. *   **Shopping Cart/Checkout**: Add products, modify quantities, and simulate checkout (balance deduction). *   **Profile**: View balance, update personal information (phone number, address). *   **My Orders**: View history order details. ### Admin Side Features
* **Authorization Verification**: Extremely fragile cookie-based verification mechanism. *   **User Management**: View all user passwords (in plaintext), modify user balances and permissions. *   **Product Management**: Add, edit, delete products; supports image uploading. *   **Order Management**: View all orders. ---

## 🚩 Vulnerabilities Included

> āš ļø **Warning**: This project is intended only for security research and teaching purposes. It must not be deployed in a public network or a production environment! This project includes, but is not limited to, the following vulnerabilities, which are waiting to be discovered by the red team:
1. **SQL Injection**
    * Present in the product search API. *   Present in the product details query logic (simulation). 2. **Broken Access Control**
    * **Vertical Hijacking**: Ordinary users can access the backend by modifying cookies. *   **Horizontal Hijacking (IDOR)**: The order details page does not verify ownership; it’s possible to browse other people’s orders. The API can modify others’ passwords. 3. **XSS**
    * **Stored**: Product comments do not filter HTML tags. Administrators can add HTML-supported product descriptions in the backend. 4. **Business Logic Vulnerabilities**
    * The shopping cart allows negative quantities, causing the balance to ā€œrechargeā€ in reverse during checkout. 5. **Anyfile Uploading**
    * The backend does not verify file type and content when uploading product images. A WebShell can be uploaded (although Next.js does not directly parse PHP, but it can be exploited along with other vulnerabilities or by overwriting files). 6. **Path Traversal**
    * *(Note: This vulnerability exists in the code logic; there is no direct front-end entry. It needs to be discovered through API fuzzing)*
7. **Sensitive Information Leakage**
    * User API returns plaintext passwords. *   **Component Vulnerabilities**: The project forces the use of Next.js 15.0.0, which has information leakage vulnerabilities (CVE-2025-66478—leakage of server-sensitive paths in development mode error pages or specific headers). ---

## šŸ›”ļø Blue Team Defense Guide

If you are on the blue team, you can try:
1. **Code Fixes**:
    * Use parameterized queries to fix SQL injection. *   Implement strict Session/JWT authentication, replacing plaintext cookie verification. *   Add IDOR permission checks (binding `user_id`). *   Filter input/output to prevent XSS. 2. **WAF Rule Writing**:
    * Write Nginx/WAF rules to intercept malicious payloads (such as `UNION SELECT`, ``, `../`, etc.) without modifying the code. 3. **Log Analysis**:
    * Analyze access logs to identify the attacker’s IP and attack path. ---

## šŸ“ Statement

This project is used solely for cybersecurity education purposes. The developer assumes no responsibility for any illegal attacks conducted using this project. Please comply with local laws and regulations.