来源

关联漏洞

介绍

# CVE-2025-52021 — Time-Based Blind SQL Injection in PuneethReddyHC / Online Shopping System Advanced (v1.0)

**CVE:** CVE-2025-52021  
**Title:** Time-Based Blind SQL Injection via `product_id` parameter in `edit_product.php`  
**Vendor / Repo:** PuneethReddyHC — https://github.com/PuneethReddyHC/online-shopping-system-advanced  
**Affected Version:** 1.0 (branch/tag `master` at time of testing)  
**Discoverer:** Hafiz Pradana Gemilang  
**Disclosure status:** Vendor notified privately. Full exploit PoC withheld from public disclosure for user safety.

---

## Summary
A **time-based blind SQL injection** vulnerability was found in `admin/admin/edit_product.php` of the Online Shopping System Advanced v1.0. The `product_id` GET parameter is interpolated into a SQL query without proper validation or parameterization. An attacker can inject time-delay functions (e.g. `SLEEP`) to observe server response delays and infer database behavior, confirming a remote SQL injection point.

> Note: This advisory intentionally excludes a runnable exploit payload. Proof-of-concept details have been shared privately with the maintainer to allow remediation.

---

## Affected endpoint (example)
```
/admin/admin/edit_product.php?product_id=<value>
```
Example local testing URL:
```
http://<host>/online-shopping-system-advanced-master/admin/admin/edit_product.php?product_id=0
```

---

## Vulnerability details
- **Type:** SQL Injection (Time-Based Blind)  
- **Parameter:** `product_id` (GET)  
- **Location:** `admin/admin/edit_product.php`  
- **Attack vector:** Remote (crafted URL); no authentication required if the admin endpoint is publicly accessible or reachable by the attacker.  
- **Preconditions:** The endpoint must accept the `product_id` parameter and include it in a SQL statement without parameterization.

---

## Evidence (timing tests summary)
Timing-based injection attempts using database `SLEEP()` semantics produced measurable server-side delays consistent with successful injection:

- `SLEEP(6)` → observed response delay ≈ 6.01s  
- `SLEEP(15)` → observed response delay ≈ 15.00s  
- `SLEEP(0)` → baseline response delay ≈ 0.01s

These results indicate a blind SQL injection point that permits time-based inference. The database name observed during testing: `onlineshop`.

---

## Impact
Successful exploitation of this vulnerability allows attackers to:
- Confirm and enumerate database content via blind/time-based techniques.
- Exfiltrate data (schema, table names, rows) with automated tools (e.g. sqlmap) using time-based techniques.
- Potentially escalate to further compromise depending on database privileges and application context.

Estimated severity: **High**

---

## Reproduction (high-level)
1. Send a crafted request to the `product_id` parameter that includes time-delay SQL constructs (testing performed with `SLEEP()` variations).  
2. Observe server response time to infer whether injected expression executed.  
3. Repeated tests with different payloads allow automated extraction via time-based techniques.

> Full step-by-step PoC omitted from public advisory — contact the reporter for encrypted PoC under responsible disclosure terms.

---

## Recommended Remediation
1. **Use parameterized queries / prepared statements** for all database access. Do not concatenate user input into SQL strings.  
   - Example (PHP + PDO):  
     ```php
     $stmt = $pdo->prepare('SELECT * FROM products WHERE id = ?');
     $stmt->execute([$product_id]);
     ```
2. **Validate and sanitize input**: treat `product_id` as an integer and validate accordingly (e.g. `filter_input(INPUT_GET, 'product_id', FILTER_VALIDATE_INT)`).  
3. **Least privilege**: ensure the database user used by the web application has minimal privileges (avoid `DROP`, `ALTER`, `GRANT`, or administrative rights).  
4. **Error handling**: avoid leaking database errors to the client. Use generic error messages and log detailed errors server-side.  
5. **WAF / rate-limiting**: as a temporary mitigation, implement WAF rules to detect common SQLi patterns and enforce rate-limits to slow mass extraction attempts.  
6. **Audit related endpoints**: review other admin endpoints and parameters for similar injection patterns.

---

## Suggested sqlmap command
*(Included for vendor/maintainer convenience — do not publish PoC payloads publicly)*

```
sqlmap -u "http://<host>/online-shopping-system-advanced-master/admin/admin/edit_product.php?product_id=0" --dbms=mysql --batch --level=5 --risk=3 --technique=T --time-sec=6
```

---

## References
- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
---

## Contact / Credits
**Discoverer:** Hafiz Pradana Gemilang  
- Email: hafizpradana.gemilang21@gmail.com
- GitHub: https://github.com/hafizgemilang/CVE-2025-52021

Vendor / Repo: https://github.com/PuneethReddyHC/online-shopping-system-advanced

---

**Disclaimer:** This public advisory omits exploitable payloads to protect users. Full technical details and PoC are available to the vendor upon request under an agreed responsible disclosure policy.

文件快照

 [4.0K]  /data/pocs/fd4b75a9d8e95e62271c2ce98a2436ceb7f8bc38
└── [5.0K]  README.md

0 directories, 1 file

备注