CVE-2018-25191

SQL

Injection in Facturation System 1.0

CVE-2018-25191 describes an SQL injection vulnerability in Facturation System 1.0 (also known as Simple Invoice). The flaw resides in the editar_producto.php endpoint, where the mod_id parameter is not properly sanitized before being used in SQL queries. An authenticated attacker can inject arbitrary SQL code by crafting POST requests containing malicious payloads in this parameter. The exploit proof-of-concept demonstrated on the OffSec Exploit Database shows how a concatenation-based injection can extract information from the database [1].

The attack vector requires authentication, but no special privileges beyond a valid session are needed. An attacker can send a POST request to ajax/editar_producto.php with a crafted mod_id value that breaks out of the original query context and appends malicious SQL. The proof-of-concept uses double-pipe concatenation (||) and subqueries to retrieve database metadata, such as the current user, database name, and version, which are then reflected in the HTTP response [1].

Successful exploitation allows an attacker to extract sensitive data from the underlying MySQL database, including usernames, database names, version strings, and potentially other records. The attack can also be extended to read from arbitrary tables, depending on the database permissions. Facturation System 1.0 does not appear to have released a patch; the software may be abandoned (the vendor homepage and download link no longer work [1]). Administrators should consider upgrading to an alternative invoicing solution or, if possible, applying parameterized queries to the vulnerable endpoint as a workaround.