Submit #91363: SOURCECODESTER Auto Dealer Management System 1.0 / manage_user.php id SQL Injectioninfo

TitleSOURCECODESTER Auto Dealer Management System 1.0 / manage_user.php id SQL Injection
DescriptionAuto Dealer Management System manage_user.php id parameter is vulnerable to SQL Injection. Although, this page is only developed to access from admin portal but due to broken access control issue, low privileged user could able to access and perform the SQL Injection to get full system access. Vendor Homepage: https://www.sourcecodester.com Software Link: Auto Dealer Management System (https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html) Version: v 1.0 Affected Page: manage_user.php On this page id parameter is vulnerable to SQL Injection Attack URL of the vulnerable parameter is: ?page=user/manage_user&id=* Description: The auto dealer management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below Admin user has full access to the system Employee user has only a few menu access i.e. dashboard, car models and vehicle (available and transaction) Although the employee user doesn't have manage_user.php access, due to broken access control, an employee could able to perform the SQL Injection by opening manage_user.php page. Therefore, low-privileged users could able to get the access full system. Proof of Concept: The following steps are involved: - Employee guesses the page manager_user.php and passes the random id parameter that parameter is vulnerable to SQL injection (?page=user/manage_user&id=1*) - Full SQL Injection payload is: localhost/adms/admin/?page=user/manage_user&id=1%27+and+false+union+select+1,user(),3,4,database(),6,7,8,9,10,11--+- Recommendation: Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack: Example Code: $sql = $obj_admin->db->prepare("SELECT * FROM users where id = :id "); $sql->bindparam(':id', $id); $sql->execute(); $row = $sql->fetch(PDO::FETCH_ASSOC);
Source⚠️ https://github.com/navaidzansari/CVE_Demo/blob/main/2023/Auto%20Dealer%20Management%20System%20-%20SQL%20Injection%20-%203.md
User
 navaidansari (UID 41266)
Submission02/18/2023 21:09 (3 years ago)
Moderation02/19/2023 09:08 (12 hours later)
StatusAccepted
VulDB entry221490 [SourceCodester Auto Dealer Management System 1.0 manage_user ID sql injection]
Points20

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!