Hello everyone, I'm tltp188. Today, I want to share an analysis about the CVE-2024-34949 SQL injection security vulnerability through the OrderLogic::getOrderList function, exploited at the /admin/order/lists.html endpoint.
<aside> 📌 Base Score CVSS3.1: 8.2 High
</aside>
TABLE OF CONTENTS
Likeshop is an open source commerce center system designed for e-commerce fields. The software is designed to be easy to install, use, and operate, suitable for E-commerce companies, software companies, developers, the teaching field, etc.
https://github.com/likeshop-github/likeshop
The method of exploitation and attack employed in this article involves reviewing the source code to analyze the codebase and identify vulnerabilities. This is considered the most accessible approach for open-source software. SQL injection is regarded as one of the most dangerous and longstanding types of attacks, causing significant data breaches in cyberattacks. Without further ado, below is how I found the vulnerability in the Likeshop application.
Likeshop is primarily built using the PHP language and utilizes the ThinkPHP framework, applying Object Relational Mapping (ORM) techniques. ThinkPHP provides a powerful ORM that facilitates interaction with the database through objects. This helps reduce the complexity of directly writing SQL queries and provides a more flexible approach to data. However, if input data (untrusted data) is not carefully validated, we inadvertently create a serious vulnerability.
Open server\application\api\logic\OrderLogic.php file
public static function getOrderList($user_id, $type, $page, $size)
{
$order = new Order();
$where[] = ['del', '=', 0];
$where[] = ['user_id', '=', $user_id];
switch ($type) {
case 'pay':
$where[] = ['order_status', '=', CommonOrder::STATUS_WAIT_PAY];
break;
case 'delivery':
$where[] = ['order_status', 'in', [CommonOrder::STATUS_WAIT_DELIVERY, CommonOrder::STATUS_WAIT_RECEIVE]];
break;
case 'finish':
$where[] = ['order_status', '=', CommonOrder::STATUS_FINISH];
break;
case 'close':
$where[] = ['order_status', '=', CommonOrder::STATUS_CLOSE];
break;
}
Here is the getOrderList function, which takes inputs including user_id, type, page, and size. These parameters are sent via a GET request and then the type parameter is used in a switch case to list different order statuses. As we can see, there is no input validation for untrusted data here.
The getOrderList function is called by the lists function. The type variable retrieves data from the HTTP request via the GET method.
The lack of validation or authentication measures for user-input data indicates the potential for SQL Injection vulnerabilities in the system. An attacker could inject special characters to break the syntax of the original SQL query and insert additional malicious queries.
Sending an HTTP request via the GET method to the endpoint /admin/order/lists.html?type=1&page=1&limit=10