From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Type: Time-Based SQL Injection (Time-Blind SQLi) 2. Affected Software: Online Shop Store 3. Vulnerability Description: - The vulnerability exists in the handling of the parameter in the script. - The parameter is directly inserted into an SQL query without proper security measures. - Attackers can manipulate the URL to execute arbitrary SQL commands, particularly by using the function to determine if SQL injection is successful based on response time. 4. Vulnerable Code Example: 5. PoC (Proof of Concept): - By appending a single quote to the parameter, a 5-second delay can be triggered, confirming the success of SQL injection. - Example URL: 6. Impact: - Data Leakage: Attackers can extract sensitive data from the database using this vulnerability. - Denial of Service: Time-based blind SQL injection may cause delays or service interruptions, especially when using the function. - Privilege Escalation: If exploited further, it may lead to unauthorized data access or modification. 7. Mitigation Measures: - Sanitize User Input: Use prepared statements (e.g., ) to prevent SQL injection. - Use ORM Libraries: Implement Object-Relational Mapping (ORM) libraries to securely handle SQL queries. - Input Validation: Validate and sanitize all user inputs, especially those from GET and POST parameters. - Set SQL Query Timeout: Configure timeouts for SQL queries to prevent potential DoS attacks via time-based blind SQL injection. This information provides a detailed overview of the vulnerability’s nature, impact, and mitigation strategies, aiding in understanding and addressing this type of SQL injection flaw.