Description

An administrator user can use different operations and parameters to execute SQL queries.

-customerId on operations getCustomerPaymentInfo and getCustomerStatementInfo.

-empId on operations getEmpSalaryData, getEmpLoanLoanData, getEmployeeAdvancePaymentsData.

-company_id on operation getCompanyDueBillDetails.

A similar case was reported and fixed on productDetailsForReturn operation in this bounty, but this endpoints are still vulnerable.

Proof of Concept

All the vulnerable php code is in core/ajax/ajax_data.php.

customerId Parameter

There are 3 different points where an SQL Injection can be triggered with customerId parameter.

First of them is on line 827, on getCustomerPaymentInfo operation. The parameter is obtained from query on line 792 and it is sanitized with safe_input method.

However, the parameter is setted on the SQL Query assuming that is an Integer and it is not enforced using quotes:

That's why we can inject malicious SQL Queries as:

customerId=1+OR+(SELECT+SLEEP(5))

As we can see, the response is delayed 5 seconds because it is executing the Sleep.

The second and third vulnerable codes are on getCustomerStatementInfo, on lines 899 and 938, where the customerId is also appended without quotes:

In this case, as the customerId is used in 2 different queries, we can see that the request is delayed 2 times (10 seconds).

empId Parameter

There are 3 different points where an SQL Injection can be triggered with empId parameter.

First of them is on line 780, on getEmpSalaryData operation. The parameter is obtained from query on line 764 and it is sanitized with safe_input method.

However, the parameter is setted on the SQL Query assuming that is an Integer and it is not enforced using quotes:

That's why we can inject malicious SQL Queries as:

empId=1+AND+(SELECT+SLEEP(5))

As we can see, the response is delayed 5 seconds because it is executing the Sleep.

The second vulnerable code is on getEmpLoanLoanData, on line 967, where the empId is also appended without quotes:

The third vulnerable code is on getEmployeeAdvancePaymentsData, on line 1045, where the empId is also appended without quotes:

company_id Parameter

The last vulnerable code is on getCompanyDueBillDetails, on line 1092. There is using another parameter, company_id, that it is also sanitised with safe_input method.

However, as in the other cases, it is appended as integer without quotes.

In all this cases, the fix is the same as on the other bounty stated above.

Impact

A user with administrator privileges can run SQL queries on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.