Vulnerability Name: SQL Injection in "produit_details.php?id" parameter
Date of Discovery: 10 July 2021
Product version: 9.4.0 . Download link
Author: faisalfs10x
Vulnerability Description: Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.
Vulnerable URL: http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]
Proof of Concept:
1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".
2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE.
3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.
[PoC enum table peel_produits]

To produce SQL syntax error, it is possible to intercept the request before it is redirect to homepage using a tool like BurpSuite (repeater).
Dump table name = peel_profil
Consequences:
- Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
- Integrity: Just as it may be possible to read sensitive information eg client/customer sensitive data, it is also possible to make changes or even delete this information with a SQL Injection attack.
Mitigation: Use of Prepared Statements (with Parameterized Queries). It would be good also to casting integer to ensure only numerical data is inserted in 'id' parameter eg - intval($_GET['id'])
References for Mitigation Vulnerability: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
References:


