| शीर्षक | SourceCodester Pizzafy Ecommerce System 1.0 Injeção SQL (SQL Injection) |
|---|
| विवरण | Pizzafy Ecommerce System 1.0 contains an authenticated error-based SQL Injection vulnerability in the save_settings functionality, specifically in the name parameter processed by the endpoint /pizzafy/admin/ajax.php?action=save_settings. The vulnerability is caused by improper sanitization of user-controlled input before it is concatenated into an SQL UPDATE statement. An authenticated attacker can inject malicious SQL expressions and trigger database errors that disclose backend information such as the current database name, table structure, and other sensitive details. Successful exploitation may also allow unauthorized modification of stored application data. The issue originates in the save_settings() method, where POST parameters are directly embedded into a dynamic query without prepared statements. This vulnerability maps to CWE-89: Improper Neutralization of Special Elements used in an SQL Command. |
|---|
| स्रोत | ⚠️ https://github.com/r3ng4f/Pizzafy_1/blob/main/02-exploit.md |
|---|
| उपयोगकर्ता | r3ng4f (UID 73285) |
|---|
| सबमिशन | 13/04/2026 05:06 PM (2 महीनों पहले) |
|---|
| संयम | 29/04/2026 03:17 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 360142 [SourceCodester Pizzafy Ecommerce System 1.0 ajax.php?action=save_menu SQL इंजेक्शन] |
|---|
| अंक | 20 |
|---|