Niushop B2B2C V5 is a popular ecommerce software solution. However, a significant vulnerability (CVE-2024-25247) has been discovered in the application's /app/api/controller/Store.php file that allows attackers to execute arbitrary SQL commands. Specifically, the vulnerability enables attackers to manipulate the latitude and longitude parameters, thereby causing a potential breach to sensitive data. In this article, we dig deep into the exploit details, the code snippet associated with the vulnerability, and provide links to the original references.

Vulnerability Details

The arbitrary SQL command execution arises from a flaw within the /app/api/controller/Store.php file. Attackers with malicious intent can abuse the latitude and longitude parameters for the generation of SQL queries. These queries, when injected into the application, can compromise data integrity and lead to unauthorized access to the database.

Code Snippet

The affected code snippet in the /app/api/controller/Store.php file is as follows (note the latitude and longitude parameters in $condition array):

public function page(){
    ...
    $latitude = request()->post('latitude', '');
    $longitude = request()->post('longitude', '');
    
    if (!empty($latitude) && !empty($longitude)){
        $condition[] = ['latitude', '=', $latitude];
        $condition[] = ['longitude', '=', $longitude];
    }
    ...
}

Exploit Details

An attacker could exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable /app/api/controller/Store.php file. The request should include manipulated latitude and longitude parameters, designed to inject the arbitrary SQL query.

For instance, an attacker could send the following POST request to exploit the vulnerability

POST /app/api/controller/Store.php HTTP/1.1
Host: [TARGET]
Content-Type: application/x-www-form-urlencoded
Content-Length: length

latitude=40.7128' AND SLEEP(3)--&longitude=-74.006

In this example, the attacker injects an SQL payload that activates a delay in the server response through the SLEEP function. If the server's response is delayed by three seconds, it can indicate a successful injection and vulnerability exposure.

Original References

To better understand the vulnerability and its impact, we recommend reviewing the following links providing detailed information on CVE-2024-25247:

1. CVE-2024-25247 - Detailed Description
2. National Vulnerability Database - CVE-2024-25247
3. Niushop B2B2C v5

Mitigation

To mitigate this SQL injection vulnerability, developers should implement input validation and parameterization for SQL queries execution. By following best practices in secure coding, it is possible to prevent SQL injection attacks and ensure the safety of your application and data.

Conclusion

In this article, we shed light on the SQL injection vulnerability (CVE-2024-25247) within Niushop B2B2C V5's /app/api/controller/Store.php file. We explored the exploit details, presented a code snippet associated with the flaw, and provided links to the original references. It is crucial to act promptly to patch this vulnerability and prevent unauthorized access to sensitive data.

Timeline

Published on: 02/26/2024 23:15:07 UTC
Last modified on: 08/29/2024 20:36:18 UTC