A vulnerability has been found in 7-card Fakabao up to 1.0_build20230805 and classified as critical. Affected by this vulnerability is an unknown functionality of the file shop/alipay_notify.php. The manipulation of the argument out_trade_no leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249385 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Critical SQL injection vulnerability exists in 7-card Fakabao versions up to 1.0_build20230805, allowing attackers to potentially compromise the database and steal sensitive information. The vulnerability, located in shop/alipay_notify.php, is easily exploitable due to a lack of input validation on the out_trade_no parameter, and a public exploit is available.
Step 1: Payload Delivery: The attacker crafts a malicious out_trade_no value containing SQL injection code. This payload is designed to manipulate the database query.
Step 2: Request Submission: The attacker sends a specially crafted HTTP request to shop/alipay_notify.php, including the malicious out_trade_no value.
Step 3: Query Execution: The vulnerable PHP script receives the request and incorporates the attacker-supplied out_trade_no directly into an SQL query. No sanitization or escaping is performed.
Step 4: Database Manipulation: The database server executes the injected SQL code. This could lead to various malicious actions, such as data exfiltration, account compromise, or complete database takeover.
Step 5: Information Disclosure/System Compromise: Depending on the injected SQL code, the attacker can extract sensitive information (e.g., usernames, passwords, payment details) or gain unauthorized access to the system.
The root cause is a classic SQL injection vulnerability. The shop/alipay_notify.php script, likely responsible for handling Alipay payment notifications, directly incorporates the user-supplied out_trade_no parameter into an SQL query without proper sanitization or escaping. This allows an attacker to inject malicious SQL code, altering the query's intended behavior. The lack of input validation, such as checking the data type or length of the out_trade_no parameter, exacerbates the issue. The vulnerability stems from a failure to implement secure coding practices, specifically failing to sanitize user-supplied input before using it in database queries. This leads to the injection of malicious SQL commands.