A vulnerability was found in 7-card Fakabao up to 1.0_build20230805. It has been declared as critical. This vulnerability affects unknown code of the file member/notify.php. The manipulation of the argument out_trade_no leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249388. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Critical SQL injection vulnerability exists in 7-card Fakabao versions up to 1.0_build20230805, allowing attackers to compromise the database. Exploitation involves manipulating the out_trade_no parameter in member/notify.php, potentially leading to data breaches and system takeover due to the vendor's lack of response.
Step 1: Payload Delivery: The attacker crafts a malicious payload containing SQL code designed to manipulate the database. This payload is specifically crafted to exploit the vulnerability in the out_trade_no parameter.
Step 2: Request Submission: The attacker sends a specially crafted HTTP request to the member/notify.php script, including the malicious payload within the out_trade_no parameter.
Step 3: Query Execution: The vulnerable PHP script receives the request and incorporates the attacker-controlled out_trade_no value directly into an SQL query without proper sanitization.
Step 4: SQL Injection: The database server executes the modified SQL query, interpreting the attacker's payload as part of the query logic.
Step 5: Data Exfiltration/Manipulation: Depending on the payload, the attacker can then exfiltrate sensitive data (e.g., usernames, passwords, credit card details), modify existing data, or potentially gain full control over the database server.
The vulnerability stems from insufficient input validation and sanitization of the out_trade_no parameter within the member/notify.php file. The application directly incorporates user-supplied data into SQL queries without proper escaping or filtering. This allows an attacker to inject malicious SQL code, altering the query's intended behavior. The root cause is a missing or inadequate implementation of parameterized queries or prepared statements, which would prevent the attacker's SQL code from being interpreted as part of the query logic. The lack of vendor response exacerbates the risk, as no official patches or mitigations are available.