A vulnerability was found in 7-card Fakabao up to 1.0_build20230805. It has been classified as critical. This affects an unknown part of the file shop/wxpay_notify.php. The manipulation of the argument out_trade_no leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249387. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Critical SQL injection vulnerability exists in 7-card Fakabao versions up to 1.0_build20230805, allowing attackers to compromise the application's database. Successful exploitation grants attackers the ability to read, modify, or delete sensitive data, potentially leading to complete system compromise and data breaches. The vendor has not responded to the disclosure, increasing the risk of widespread exploitation.
Step 1: Payload Delivery: An attacker crafts a malicious SQL injection payload designed to be injected into the out_trade_no parameter.
Step 2: Request Submission: The attacker sends a specially crafted HTTP request to the shop/wxpay_notify.php file, including the malicious payload in the out_trade_no parameter.
Step 3: Query Execution: The application receives the request and, without proper sanitization, incorporates the attacker's payload directly into an SQL query.
Step 4: Database Manipulation: The database server executes the modified SQL query, allowing the attacker to perform actions such as reading sensitive data (e.g., user credentials, transaction details), modifying data, or even executing arbitrary commands on the database server, depending on the database system and permissions granted to the application's database user.
Step 5: Information Extraction/System Compromise: The attacker leverages the SQL injection to extract sensitive information or further escalate privileges, potentially leading to full system compromise.
The vulnerability stems from insufficient input validation and sanitization of the out_trade_no parameter within the shop/wxpay_notify.php file. The application directly incorporates user-supplied data from this parameter into an SQL query without proper escaping or filtering. This allows an attacker to inject malicious SQL code, altering the intended query logic and enabling unauthorized database access. The root cause is a failure to implement prepared statements or other secure coding practices to prevent SQL injection. The lack of vendor response exacerbates the risk, as no patch or mitigation is available.