| Título | Github Blood-Bank-And-Donation-Management-System 1.0 SQL Injection |
|---|
| Descrição | Discoverer: Shuvo Ahmed Sanin
Description:
Blood Bank And Donation Management System v.1 is vulnerable to SQL Injection
Vulnerability Details:
Vulnerability Type: SQL Injection
Vendor : Github
Affected Product: Blood Bank And Donation Management System v.1
Software URL: https://github.com/varunsardana004/Blood-Bank-And-Donation-Management-System
Affected Component: Become A Donor Section (http://localhost/Blood-Bank-And-Donation-Management-System/donate_blood.php)
Attack Type : Local
Tested on : Windows 11, Latest Kali Linux
Impact: Code execution(true)
Steps to Reproduce:
1.Click on Become A Donor Section (https://github.com/varunsardana004/Blood-Bank-And-Donation-Management-System)
2.Fill Up All then intercept submit the request with Burpsuite
3.Now send the proxy request to repeater tab
4.Go to repeater, replace fullname=test to fullname=test'%2b(select*from(select(sleep(10)))a)%2b'&
5.Observe the response comes after 10 seconds which means SQL injection is working
[Note: All options of submit parameter are vulnerable to SQLi]
PoC Video: https://drive.google.com/file/d/1QbvwK818W4VAz_LTu0O6IsEnxOR8iDKJ/view?usp=sharing
Impact:
1.Attackers can exploit this SQL injection vulnerability to gain unauthorized access to the database, exfiltrate sensitive data, modify or tamper with information, take full control of the system, and potentially disrupt services, representing a severe risk to both system security and business continuity.
Mitigation:
Use prepared statements and parameter binding:
Preparing statements can prevent SQL injection as they separate SQL code from user input data. When using prepared statements, the value entered by the user is treated as pure data and will not be interpreted as SQL code.
Input validation and filtering:
Strictly validate and filter user input data to ensure it conforms to the expected format.
Minimize database user permissions:
|
|---|
| Fonte | ⚠️ https://github.com/sanin-s1r3n/CVE-Research/blob/main/CVE-3 |
|---|
| Utilizador | redteam_bd (UID 89841) |
|---|
| Submissão | 02/10/2025 09h32 (há 7 meses) |
|---|
| Moderação | 08/10/2025 07h27 (6 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 327599 [varunsardana004 Blood-Bank-And-Donation-Management-System até dc9e0393d826fbc85fad9755b5bc12cba1919df2 /donate_blood.php fullname Injeção SQL] |
|---|
| Pontos | 20 |
|---|