Membership Management System 1.0 SQL Injection

2024.03.01
Credit: SoSPiro
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

- Title: Membership Management System - SQL injection - Application: Hospital Management System - Date: 01.03.2024 - Bugs: SQL injection - Exploit Author: SoSPiro - Vendor Homepage: https://codeastro.com/author/nbadmin/ - Software Link: https://codeastro.com/membership-management-system-in-php-with-source-code/ - Version: 1.0 - Tested on: Windows 10 64 bit Wampserver ### Vulnerability Description: The provided payload in the POST request indicates a potential SQL injection vulnerability. Specifically, the manipulation within the email and password parameters suggests an attempt to influence the SQL query directly, presenting a risk for exploiting security vulnerabilities. ### SQL Injection: This manipulated submission aims to affect the SQL query by incorporating user input. For instance, the use of **sleep(5)** introduces a time-delay technique, indicative of a potential resource-consuming attack vector by malevolent actors. ### Proof of Concept (PoC): Below is an example payload illustrating the SQL injection vulnerability: ``` email=test@123.asd' + (SELECT * FROM (SELECT (SLEEP(5)))a) +'&password=admin' or '1'='1'&login= ``` In this example, the **sleep(5)** function is employed to induce a time delay, followed by the use of or **'1'='1'** in the password control section, aiming to always evaluate as true. - Request Response [PoC FoTo](https://gcdnb.pbrd.co/images/9k8xy4YRomp3.png?o=1) ### Vulnerable Code Section: ```php $email = $_POST['email']; $password = $_POST['password']; $hashed_password = md5($password); $sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hashed_password'"; ``` The provided PHP code section exacerbates the SQL injection risk by directly incorporating user input into the SQL query. To mitigate this vulnerability, the use of parameterized queries or prepared statements is recommended. ## Reproduce: https://sospiro014.github.io/Membership-Management-System-SQL-injection


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top