SAT CFDI SQL Injection Vulnerability in SignIn Endpoint

A SQL injection vulnerability has been identified in SAT CFDI version 3.3. This vulnerability allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Exploitation can be achieved by sending POST requests with various SQL injection payloads, including boolean-based blind, stacked queries, or time-based blind SQL injection, potentially leading to the extraction of sensitive data or compromise of the application.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries to access, modify, or extract sensitive data. Additionally, such exploitation could be used to compromise the application or exploit other vulnerabilities in the underlying database.

Reproduction

To reproduce this vulnerability, send a POST request to the signIn endpoint with an injected SQL payload in the 'id' parameter. The injection can be crafted to use boolean-based blind SQL injection techniques, stacked queries, or time-based blind SQL injection, depending on the attacker's objective.