目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CVE-2023-30092 PoC — Online Pizza Ordering System SQL注入漏洞

来源
https://github.com/nawed20002/CVE-2023-30092
关联漏洞
标题:Online Pizza Ordering System SQL注入漏洞 (CVE-2023-30092)
Description:Online Pizza Ordering System是Carlo Montero个人开发者的一个在线比萨订购系统。 Online Pizza Ordering System v1.0版本存在安全漏洞,该漏洞源于通过QTY参数发现包含SQL注入攻击。
介绍
# CVE-2023-30092

# All Details about CVE-2023-30092

Software: Online Pizza Ordering System 1.0

Software Link: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html

Vulnerability Type: SQL Injection

Affected Component: QTY Parameter

Impact Denial of Service: True

Impact Code execution : True

Attack Type: Remote

Vendor of Product: Sourcecodester


# Description:

SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve.  The vulnerability exists in Sourcecodester Online Pizza Ordering System 1.0 in QTY parameter found during updating the cart in AJAX.php endpoint.

The Affected URL where the vulnerable parameter can be found : http://HOST/php-opos/admin/ajax.php?action=update_cart_qty

Impact: SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information

# Vulnerability Description:
The QTY parameter is vulnerable to SQL injection, which allows an attacker to modify the behavior of the application and access data they should not be able to. By submitting a specially crafted payload containing SQL statements, we were able to generate an SQL error message. This indicates that the application is vulnerable to SQL injection attacks.

Reproduction/ exploit Steps:
To reproduce this vulnerability:
1) Navigate to the Online Pizza Ordering System application.

2) Add a few items to the cart.

3)  Update the cart by updating the QTY of of item.

![1](https://user-images.githubusercontent.com/98532470/236751734-2fd065fb-bac4-4aa3-94a4-7f5a1ec6279b.png)

4) Intercept the HTTP request send it to the repeater and then add single Quote (`) to get the sql error in response from server

![2](https://user-images.githubusercontent.com/98532470/236752114-c966fdc0-5889-4b95-996f-a794242db01a.png)

5) An SQL error message is displayed, indicating that the application is vulnerable to SQL injection.

6) Insert the mentioned payload in QTY parameter on the above request to confirm that the application is vulnerable to SQL injection.

Payload : (CASE WHEN (9603=9603) THEN SLEEP(11) ELSE 9603 END)

![3 Payload](https://user-images.githubusercontent.com/98532470/236752867-c8a3dd79-f728-4f43-9c1f-25258d8e965a.png)
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →