PiHome SQL Injection Vulnerability in ajax.php Component

A critical SQL injection vulnerability has been identified in PiHome HVAC version 2.0, specifically within the ajax.php file. The issue arises in the 'GetModal_Sensor_Graph' AJAX endpoint, where user input is not properly sanitized before being incorporated into SQL queries. This vulnerability allows remote attackers to inject malicious SQL, potentially leading to unauthorized data access or manipulation. The vulnerability has been publicly disclosed and could be actively exploited.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, first set up the PiHome HVAC application and add a sensor to the database. Once a sensor is established, send a GET request to 'ajax.php' with the 'Ajax' parameter set to 'GetModal_Sensor_Graph' followed by a crafted SQL injection payload, such as '1 OR (sleep(20)) LIMIT 100;--'. This payload exploits the SQL injection vulnerability by injecting SQL code that is executed by the server, demonstrating the flaw by causing a delay in the response.