hafizgemilang/gist:c953d16c1459458667132e93359f3d6c Secret

## gistfile1.txt
# CVE-2025-52021 — Time-Based Blind SQL Injection in PuneethReddyHC / Online Shopping System Advanced (v1.0)

**CVE:** CVE-2025-52021
**Title:** Time-Based Blind SQL Injection via `product_id` parameter in `edit_product.php`
**Vendor / Repo:** PuneethReddyHC — https://github.com/PuneethReddyHC/online-shopping-system-advanced
**Affected Version:** 1.0 (branch/tag `master` at time of testing)
**Discoverer:** Hafiz Pradana Gemilang
**Disclosure status:** Vendor notified privately. Full exploit PoC withheld from public disclosure for user safety.

---

## Summary
A **time-based blind SQL injection** vulnerability was found in `admin/admin/edit_product.php` of the Online Shopping System Advanced v1.0. The `product_id` GET parameter is interpolated into a SQL query without proper validation or parameterization. An attacker can inject time-delay functions (e.g. `SLEEP`) to observe server response delays and infer database behavior, confirming a remote SQL injection point.

> Note: This advisory intentionally excludes a runnable exploit payload. Proof-of-concept details have been shared privately with the maintainer to allow remediation.

---

## Affected endpoint (example)
```
/admin/admin/edit_product.php?product_id=<value>
```
Example local testing URL:
```
http://<host>/online-shopping-system-advanced-master/admin/admin/edit_product.php?product_id=0
```

---

## Vulnerability details
- **Type:** SQL Injection (Time-Based Blind)
- **Parameter:** `product_id` (GET)
- **Location:** `admin/admin/edit_product.php`
- **Attack vector:** Remote (crafted URL); no authentication required if the admin endpoint is publicly accessible or reachable by the attacker.
- **Preconditions:** The endpoint must accept the `product_id` parameter and include it in a SQL statement without parameterization.

---

## Evidence (timing tests summary)
Timing-based injection attempts using database `SLEEP()` semantics produced measurable server-side delays consistent with successful injection:

- `SLEEP(6)` → observed response delay ≈ 6.01s
- `SLEEP(15)` → observed response delay ≈ 15.00s
- `SLEEP(0)` → baseline response delay ≈ 0.01s

These results indicate a blind SQL injection point that permits time-based inference. The database name observed during testing: `onlineshop`.

---

## Impact
Successful exploitation of this vulnerability allows attackers to:
- Confirm and enumerate database content via blind/time-based techniques.
- Exfiltrate data (schema, table names, rows) with automated tools (e.g. sqlmap) using time-based techniques.
- Potentially escalate to further compromise depending on database privileges and application context.

Estimated severity: **High**

---

## Reproduction (high-level)
1. Send a crafted request to the `product_id` parameter that includes time-delay SQL constructs (testing performed with `SLEEP()` variations).
2. Observe server response time to infer whether injected expression executed.
3. Repeated tests with different payloads allow automated extraction via time-based techniques.

> Full step-by-step PoC omitted from public advisory — contact the reporter for encrypted PoC under responsible disclosure terms.

---

## Recommended Remediation
1. **Use parameterized queries / prepared statements** for all database access. Do not concatenate user input into SQL strings.
   - Example (PHP + PDO):
     ```php
     $stmt = $pdo->prepare('SELECT * FROM products WHERE id = ?');
     $stmt->execute([$product_id]);
     ```
2. **Validate and sanitize input**: treat `product_id` as an integer and validate accordingly (e.g. `filter_input(INPUT_GET, 'product_id', FILTER_VALIDATE_INT)`).
3. **Least privilege**: ensure the database user used by the web application has minimal privileges (avoid `DROP`, `ALTER`, `GRANT`, or administrative rights).
4. **Error handling**: avoid leaking database errors to the client. Use generic error messages and log detailed errors server-side.
5. **WAF / rate-limiting**: as a temporary mitigation, implement WAF rules to detect common SQLi patterns and enforce rate-limits to slow mass extraction attempts.
6. **Audit related endpoints**: review other admin endpoints and parameters for similar injection patterns.

---

## Suggested sqlmap command
*(Included for vendor/maintainer convenience — do not publish PoC payloads publicly)*

```
sqlmap -u "http://<host>/online-shopping-system-advanced-master/admin/admin/edit_product.php?product_id=0" --dbms=mysql --batch --level=5 --risk=3 --technique=T --time-sec=6
```

---

## References
- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
---

## Contact / Credits
**Discoverer:** Hafiz Pradana Gemilang
- Email: hafizpradana.gemilang21@gmail.com
- GitHub: https://github.com/hafizgemilang/CVE-2025-52021

Vendor / Repo: https://github.com/PuneethReddyHC/online-shopping-system-advanced

---

**Disclaimer:** This public advisory omits exploitable payloads to protect users. Full technical details and PoC are available to the vendor upon request under an agreed responsible disclosure policy.
	# CVE-2025-52021 — Time-Based Blind SQL Injection in PuneethReddyHC / Online Shopping System Advanced (v1.0)

	CVE: CVE-2025-52021
	Title: Time-Based Blind SQL Injection via `product_id` parameter in `edit_product.php`
	Vendor / Repo: PuneethReddyHC — https://github.com/PuneethReddyHC/online-shopping-system-advanced
	Affected Version: 1.0 (branch/tag `master` at time of testing)
	Discoverer: Hafiz Pradana Gemilang
	Disclosure status: Vendor notified privately. Full exploit PoC withheld from public disclosure for user safety.

	---

	## Summary
	A time-based blind SQL injection vulnerability was found in `admin/admin/edit_product.php` of the Online Shopping System Advanced v1.0. The `product_id` GET parameter is interpolated into a SQL query without proper validation or parameterization. An attacker can inject time-delay functions (e.g. `SLEEP`) to observe server response delays and infer database behavior, confirming a remote SQL injection point.

	> Note: This advisory intentionally excludes a runnable exploit payload. Proof-of-concept details have been shared privately with the maintainer to allow remediation.

	---

	## Affected endpoint (example)
	```
	/admin/admin/edit_product.php?product_id=<value>
	```
	Example local testing URL:
	```
	http://<host>/online-shopping-system-advanced-master/admin/admin/edit_product.php?product_id=0
	```

	---

	## Vulnerability details
	- Type: SQL Injection (Time-Based Blind)
	- Parameter: `product_id` (GET)
	- Location: `admin/admin/edit_product.php`
	- Attack vector: Remote (crafted URL); no authentication required if the admin endpoint is publicly accessible or reachable by the attacker.
	- Preconditions: The endpoint must accept the `product_id` parameter and include it in a SQL statement without parameterization.

	---

	## Evidence (timing tests summary)
	Timing-based injection attempts using database `SLEEP()` semantics produced measurable server-side delays consistent with successful injection:

	- `SLEEP(6)` → observed response delay ≈ 6.01s
	- `SLEEP(15)` → observed response delay ≈ 15.00s
	- `SLEEP(0)` → baseline response delay ≈ 0.01s

	These results indicate a blind SQL injection point that permits time-based inference. The database name observed during testing: `onlineshop`.

	---

	## Impact
	Successful exploitation of this vulnerability allows attackers to:
	- Confirm and enumerate database content via blind/time-based techniques.
	- Exfiltrate data (schema, table names, rows) with automated tools (e.g. sqlmap) using time-based techniques.
	- Potentially escalate to further compromise depending on database privileges and application context.

	Estimated severity: High

	---

	## Reproduction (high-level)
	1. Send a crafted request to the `product_id` parameter that includes time-delay SQL constructs (testing performed with `SLEEP()` variations).
	2. Observe server response time to infer whether injected expression executed.
	3. Repeated tests with different payloads allow automated extraction via time-based techniques.

	> Full step-by-step PoC omitted from public advisory — contact the reporter for encrypted PoC under responsible disclosure terms.

	---

	## Recommended Remediation
	1. Use parameterized queries / prepared statements for all database access. Do not concatenate user input into SQL strings.
	- Example (PHP + PDO):
	```php
	$stmt = $pdo->prepare('SELECT * FROM products WHERE id = ?');
	$stmt->execute([$product_id]);
	```
	2. Validate and sanitize input: treat `product_id` as an integer and validate accordingly (e.g. `filter_input(INPUT_GET, 'product_id', FILTER_VALIDATE_INT)`).
	3. Least privilege: ensure the database user used by the web application has minimal privileges (avoid `DROP`, `ALTER`, `GRANT`, or administrative rights).
	4. Error handling: avoid leaking database errors to the client. Use generic error messages and log detailed errors server-side.
	5. WAF / rate-limiting: as a temporary mitigation, implement WAF rules to detect common SQLi patterns and enforce rate-limits to slow mass extraction attempts.
	6. Audit related endpoints: review other admin endpoints and parameters for similar injection patterns.

	---

	## Suggested sqlmap command
	(Included for vendor/maintainer convenience — do not publish PoC payloads publicly)

	```
	sqlmap -u "http://<host>/online-shopping-system-advanced-master/admin/admin/edit_product.php?product_id=0" --dbms=mysql --batch --level=5 --risk=3 --technique=T --time-sec=6
	```

	---

	## References
	- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
	---

	## Contact / Credits
	Discoverer: Hafiz Pradana Gemilang
	- Email: hafizpradana.gemilang21@gmail.com
	- GitHub: https://github.com/hafizgemilang/CVE-2025-52021

	Vendor / Repo: https://github.com/PuneethReddyHC/online-shopping-system-advanced

	---

	Disclaimer: This public advisory omits exploitable payloads to protect users. Full technical details and PoC are available to the vendor upon request under an agreed responsible disclosure policy.
No results found