A vulnerability was found in 7-card Fakabao up to 1.0_build20230805 and classified as critical. Affected by this issue is some unknown functionality of the file shop/notify.php. The manipulation of the argument out_trade_no leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-249386 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Critical SQL injection vulnerability exists in 7-card Fakabao versions up to 1.0_build20230805, allowing attackers to compromise the application's database. Successful exploitation grants unauthorized access to sensitive data, potentially leading to data breaches and system control. The vendor has not responded to the vulnerability disclosure, increasing the risk of widespread exploitation.
Step 1: Payload Delivery: The attacker crafts a malicious SQL injection payload designed to be injected into the out_trade_no parameter of a request to shop/notify.php.
Step 2: Request Submission: The attacker submits the crafted request to the vulnerable application.
Step 3: Query Execution: The application receives the request and, without proper sanitization, incorporates the attacker's payload directly into a SQL query.
Step 4: Database Interaction: The database server executes the modified SQL query, which now includes the attacker's malicious code.
Step 5: Data Exfiltration/Manipulation: Depending on the payload, the attacker can extract sensitive data (e.g., usernames, passwords, credit card details), modify existing data, or potentially gain control of the database server itself.
The vulnerability lies within the shop/notify.php file, specifically in how the out_trade_no parameter is handled. The application fails to properly sanitize or validate user-supplied input before incorporating it into a SQL query. This lack of input validation allows an attacker to inject malicious SQL code through the out_trade_no parameter. The root cause is a missing or inadequate implementation of input validation and parameterized queries, which are crucial for preventing SQL injection attacks. The application likely directly concatenates the user-provided out_trade_no value into a SQL query string without proper escaping or sanitization. This allows an attacker to craft a payload that modifies the query's intended behavior, potentially leading to data exfiltration, modification, or even complete database compromise.