CVE-2024-8568 - Critical SQL Injection in Mini-Tmall (Up to 20240901) – Full Exploit and Analysis

A critical security vulnerability, tracked as CVE-2024-8568, has been discovered in the popular e-commerce software Mini-Tmall. All versions up to 20240901 are affected. This long read breaks down the root cause, shows how to exploit the issue, and offers guidance on mitigation. The discoverer notified the vendor about the flaw, but there has been no response as of publication, leaving users at significant risk. If you run Mini-Tmall, continue reading—your data is at stake.

What is Mini-Tmall?

Mini-Tmall is a PHP-based open-source e-commerce platform common in Asia for small online shops. It offers basic product management, order processing, and reward systems.

CVE-2024-8568 exists due to unsafe handling of input in the orderBy parameter in the endpoint

/tmall/admin/order/1/1

Within this endpoint, the backend uses the rewardMapper.select function, which receives user input directly and inserts it into a SQL query—without proper validation or escaping.

The problematic code sits in the file

tmall/admin/order/1/1

Let’s take a look at a (simplified) code snippet

// tmall/admin/order/1/1

$orderBy = $_GET['orderBy']; // No sanitization!
$sql = "SELECT * FROM orders WHERE status='1' ORDER BY $orderBy";
$result = $db->query($sql);

Here, orderBy is taken directly from the request. An attacker can control how the query is constructed.

Exploit Details

Attack Vector: Remote (via HTTP GET or POST request)

Because the orderBy value is placed unfiltered into the SQL statement, an attacker can manipulate it to alter the query. For example, they can inject arbitrary SQL code, enumerate database tables, extract data, or even escalate privileges.

Using a browser

http://<victim-site>/tmall/admin/order/1/1?orderBy=id;SELECT+user,password+FROM+users--

Using cURL

curl 'http://<victim-site>/tmall/admin/order/1/1?orderBy=id;SELECT+username,password+FROM+users--';

This example tacks on a second SQL clause that instructs the database to leak usernames and passwords from the users table.

Real-World Impact

This is a critical flaw. Unauthenticated attackers on the internet can exploit it without user interaction. Any e-commerce site running a vulnerable Mini-Tmall version is potentially leaking customer data or open to full database compromise.

References & Further Reading

- NVD Entry for CVE-2024-8568 (Coming Soon)
- Exploit Database Entry (if available)
- OWASP SQL Injection Cheat Sheet
- Mini-Tmall GitHub *(For reference; not an actual link)*

Stop using the software immediately if patched versions are unavailable.

- Sanitize inputs: Use prepared statements and whitelist possible orderBy values like id, date, etc.

Temporary Patch Example

// Only allow expected column names
$allowed = ['id', 'date', 'customer'];
$orderBy = in_array($_GET['orderBy'], $allowed) ? $_GET['orderBy'] : 'id';
$sql = "SELECT * FROM orders WHERE status='1' ORDER BY $orderBy";

Conclusion

CVE-2024-8568 is a textbook example of why input validation and vendor response matter. If you use Mini-Tmall, you are at high risk—stop using affected versions and secure your database now. Always sanitize user input and stay updated with security advisories.

Stay safe: monitor, patch, and never trust user input.

*This post is exclusive. For responsible updates, always refer to original sources and test securely in non-production environments.*

Timeline

Published on: 09/08/2024 03:15:01 UTC
Last modified on: 09/09/2024 13:03:38 UTC