Submit #266941: codeastro web application 1.0 SQL Injectioninfo

Titlecodeastro web application 1.0 SQL Injection
DescriptionIntroduction: This document outlines the identification and details of a SQL Injection vulnerability discovered in Real Estate Management System in PHP Project Name: Real Estate Management System in PHP Version: version 1.0 Vendor: codeastro.com Project Link: [Real Estate Management System] (https://codeastro.com/real-estate-management-system-in-php-with-source-code/) Vulnerability Details: Vulnerability Type: SQL Injection Impact: Attacker can inject malicious code Affected Parameter: pid in http://localhost/RealEstate-PHP/propertydetail.php?pid= Severity: High Description: The Real Estate Management System is susceptible to SQL injection through the pid parameter on the propertydetail.php page. An attacker could exploit this vulnerability to manipulate the database and compromise sensitive information. Reproduction Steps: Access the URL http://localhost/RealEstate-PHP/propertydetail.php?pid= Use below mentioned payloads in pid Payloads Used: 1. %27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7671,0x79556b757a7058537a557562706745645a734470697458794c5771584e58444b72624d76526d5546,0x7171716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20- 2. AND (SELECT 5827 FROM (SELECT(SLEEP(5)))UGKM) AND 'eopl'='eopl Mitigation Steps: • Input Validation: Implement strict input validation and use parameterized queries to prevent SQL injection. • Update System: Keep the Real Estate Management System, PHP, and server components up-to-date with the latest security patches. • Security Audits: Regularly audit system security and consider professional assessments to identify and fix vulnerabilities. • Education: Train developers on secure coding practices, emphasizing input validation and secure database handling. Reporter Information: Name: Pranav P Ramesh Contact Information: pranavpramesh777@gmail.com Role: Senior security engineer Project Details: Project Name: Real Estate Management System in PHP Version: version 1.0 Vendor: codeastro.com Project Link: [Real Estate Management System] (https://codeastro.com/real-estate-management-system-in-php-with-source-code/) Source of Project: Real Estate Management System from Discovery Date: 12-01-2024 Responsible Disclosure: I commit to responsible disclosure and will not publicly disclose the vulnerability until it has been addressed. Preferred Communication Method: pranavpramesh777@gmail.com Timeline: The vulnerability was discovered on 12-01-2024
Source⚠️ https://drive.google.com/drive/folders/1U2nirIi6OtuCi-vrD2-VHyJbsHK5yA7t?usp=sharing
UserPranav P Ramesh (ID 61394)
Submission01/12/2024 07:12 PM (5 months ago)
Moderation01/14/2024 07:50 PM (2 days later)
StatusAccepted
VulDB Entry250713

Want to stay up to date on a daily basis?

Enable the mail alert feature now!