SourceCodester Pizzafy Ecommerce System SQL Injection Vulnerability in Admin View Order Component
Vulnerability
A SQL injection vulnerability has been identified in SourceCodester Pizzafy Ecommerce System version 1.0. The issue resides in the admin/view_order.php file, specifically within the GET parameter handler. The vulnerability allows authenticated administrators to manipulate the 'id' parameter, leading to arbitrary SQL injection. This exploitation can be performed remotely, and the vulnerability has been publicly disclosed.
Impact
Exploitation of this vulnerability allows an authenticated administrator to inject SQL commands that can be executed by the database. This could lead to unauthorized data access, modification, or deletion. In this case, the vulnerability was exploited to dump the entire database, including sensitive information such as user details and order information.
Reproduction
To reproduce this vulnerability, log in as an administrator and navigate to the orders page. Intercept the request to 'view_order.php' using Burp Suite, and modify the 'id' parameter to inject SQL payloads. After triggering a SQL error, use sqlmap to exploit the injection and dump the database.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.