Share
## https://sploitus.com/exploit?id=D26826E2-D23B-5086-A1D6-8C2AAA5DD217
# Vulnerable Mall (Next.js Red/Blue Team Training Target)
**Vulnerable Mall** is an e-commerce simulation lab built using **Next.js 15.0.0 (App Router)**. It looks and functions like a normal online store, but it intentionally contains numerous common high-risk web vulnerabilities. This project is designed for **Red/Blue Team training**, **CTF exercises**, and **web security education**. > ā ļø **Note**: This project specifically uses **Next.js 15.0.0** with known vulnerabilities (CVE-2025-66478). Do not reuse this projectās dependencies in a production environment.
## š Quick Start
### 1. Environment Requirements
* Node.js 18+
* npm or yarn
* **Core Stack**: Next.js 15.0.0, React 19, SQLite3
### 2. Install Dependencies
```bash
npm install
```
### 3. Initialize Database
The project uses SQLite databases. No additional database services are required.
```bash
node scripts/init-db.js
```
This command will create/reset the `yanlian.db` database and populate it with test data.
### 4. Start Server
```bash
npm run dev
```
Visit: [http://localhost:3000](http://localhost:3000)
---
## šÆ Features and Scenarios of the Lab
### User-Side Features
* **Registration/Login**: Supports account registration (with a trial balance). Authentication is based on cookies. * **Product Search**: Product display on the homepage, with search functionality. * **Product Details**: View product details and comment posting. * **Shopping Cart/Checkout**: Add products, modify quantities, and simulate checkout (balance deduction). * **Profile**: View balance, update personal information (phone number, address). * **My Orders**: View history order details. ### Admin Side Features
* **Authorization Verification**: Extremely fragile cookie-based verification mechanism. * **User Management**: View all user passwords (in plaintext), modify user balances and permissions. * **Product Management**: Add, edit, delete products; supports image uploading. * **Order Management**: View all orders. ---
## š© Vulnerabilities Included
> ā ļø **Warning**: This project is intended only for security research and teaching purposes. It must not be deployed in a public network or a production environment! This project includes, but is not limited to, the following vulnerabilities, which are waiting to be discovered by the red team:
1. **SQL Injection**
* Present in the product search API. * Present in the product details query logic (simulation). 2. **Broken Access Control**
* **Vertical Hijacking**: Ordinary users can access the backend by modifying cookies. * **Horizontal Hijacking (IDOR)**: The order details page does not verify ownership; itās possible to browse other peopleās orders. The API can modify othersā passwords. 3. **XSS**
* **Stored**: Product comments do not filter HTML tags. Administrators can add HTML-supported product descriptions in the backend. 4. **Business Logic Vulnerabilities**
* The shopping cart allows negative quantities, causing the balance to ārechargeā in reverse during checkout. 5. **Anyfile Uploading**
* The backend does not verify file type and content when uploading product images. A WebShell can be uploaded (although Next.js does not directly parse PHP, but it can be exploited along with other vulnerabilities or by overwriting files). 6. **Path Traversal**
* *(Note: This vulnerability exists in the code logic; there is no direct front-end entry. It needs to be discovered through API fuzzing)*
7. **Sensitive Information Leakage**
* User API returns plaintext passwords. * **Component Vulnerabilities**: The project forces the use of Next.js 15.0.0, which has information leakage vulnerabilities (CVE-2025-66478āleakage of server-sensitive paths in development mode error pages or specific headers). ---
## š”ļø Blue Team Defense Guide
If you are on the blue team, you can try:
1. **Code Fixes**:
* Use parameterized queries to fix SQL injection. * Implement strict Session/JWT authentication, replacing plaintext cookie verification. * Add IDOR permission checks (binding `user_id`). * Filter input/output to prevent XSS. 2. **WAF Rule Writing**:
* Write Nginx/WAF rules to intercept malicious payloads (such as `UNION SELECT`, ``, `../`, etc.) without modifying the code. 3. **Log Analysis**:
* Analyze access logs to identify the attackerās IP and attack path. ---
## š Statement
This project is used solely for cybersecurity education purposes. The developer assumes no responsibility for any illegal attacks conducted using this project. Please comply with local laws and regulations.