FAQ Management System v1.0 - 'faq' SQL Injection

Exploit Author: SoSPiro Analysis Author: www.bubbleslearn.ir Category: Remote Language: PHP Published Date: 2024-02-26 
# Exploit Title: FAQ Management System v1.0 - 'faq' SQL Injection
# Google Dork: N/A
# Application: FAQ Management System
# Date: 25.02.2024
# Bugs: SQL Injection 
# Exploit Author: SoSPiro
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/17175/faq-management-system-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Windows 10 64 bit Wampserver 
# CVE : N/A


## Vulnerability Description:

The provided code is vulnerable to SQL injection. The vulnerability arises from directly using user input ($_GET['faq']) in the SQL query without proper validation or sanitization. An attacker can manipulate the 'faq' parameter to inject malicious SQL code, leading to unintended and potentially harmful database operations.


## Proof of Concept (PoC):

An attacker can manipulate the 'faq' parameter to perform SQL injection. For example:

1. Original Request:
http://example.com/endpoint/delete-faq.php?faq=123

2.Malicious Request (SQL Injection):
http://example.com/endpoint/delete-faq.php?faq=123'; DROP TABLE tbl_faq; --

This would result in a query like:

DELETE FROM tbl_faq WHERE tbl_faq_id = '123'; DROP TABLE tbl_faq; --

Which can lead to the deletion of data or even the entire table.


poc foto: https://i.imgur.com/1IENYFg.png


## Vulnerable code section:
====================================================
endpoint/delete-faq.php


$faq = $_GET['faq'];

// ...

$query = "DELETE FROM tbl_faq WHERE tbl_faq_id = '$faq'";


SQL Injection in FAQ Management System v1.0: A Critical Security Flaw Exploited via the 'faq' Parameter

SQL injection remains one of the most prevalent and dangerous vulnerabilities in web applications, particularly those built with PHP and MySQL. The FAQ Management System v1.0, available on SourceCodester, exemplifies a classic case of poor input handling that opens the door to full database compromise. This article dissects the vulnerability, explains its real-world impact, and provides expert-level mitigation strategies.

Understanding the Vulnerability: The 'faq' Parameter

At the core of this exploit lies a simple yet dangerous practice: direct use of user input in SQL queries without sanitization. The vulnerable endpoint is delete-faq.php, which accepts a parameter named faq via the GET method.


$faq = $_GET['faq'];

$query = "DELETE FROM tbl_faq WHERE tbl_faq_id = '$faq'";

Here, the value of $faq is directly inserted into the SQL query string. This creates a perfect environment for SQL injection, where an attacker can inject malicious SQL commands by manipulating the faq parameter.

Proof of Concept: How the Attack Works

Consider the following malicious request:

Original Request: http://example.com/endpoint/delete-faq.php?faq=123

Malicious Request: http://example.com/endpoint/delete-faq.php?faq=123'; DROP TABLE tbl_faq; --

When processed, the resulting SQL query becomes:


DELETE FROM tbl_faq WHERE tbl_faq_id = '123'; DROP TABLE tbl_faq; --

This query performs two actions:

  • Deletes the record with ID 123.
  • Executes DROP TABLE tbl_faq, which permanently removes the entire FAQ table from the database.

Even worse, this can be extended to extract sensitive data, perform UNION attacks, or escalate privileges—especially if the database user has elevated permissions.

Real-World Impact and Risk Assessment

Attack Vector Exploitation Risk Impact
SQL Injection via GET parameter High Complete data loss, database corruption, unauthorized access
Unsanitized input handling Medium-High Easy to exploit with minimal technical knowledge
Open-source software with no security audits High Widespread adoption increases exposure

Since the FAQ Management System is hosted on SourceCodester, a platform that hosts numerous open-source PHP projects, this vulnerability could be replicated across hundreds of installations—especially in educational or small business environments where security practices are often overlooked.

Why This Vulnerability Is So Dangerous

SQL injection is not just about data theft—it can lead to:

  • Complete database deletion (as demonstrated in the PoC).
  • Privilege escalation if the database user has administrative rights.
  • Command execution through techniques like LOAD_FILE or OUTFILE (if the database server allows it).
  • Denial of service by corrupting or deleting critical tables.

Moreover, because this is a GET-based request, attackers can easily craft malicious URLs and automate exploitation using tools like SQLMap or Burp Suite.

Expert-Level Mitigation Strategies

To prevent such vulnerabilities, developers must adopt secure coding practices. Below is a corrected, secure version of the code using prepared statements:


// Secure version using PDO prepared statements
$faq = $_GET['faq'];

// Validate input: ensure it's numeric
if (!is_numeric($faq)) {
    die("Invalid input: FAQ ID must be a number.");
}

// Use PDO for prepared statements
$pdo = new PDO("mysql:host=localhost;dbname=faq_db", $username, $password);
$stmt = $pdo->prepare("DELETE FROM tbl_faq WHERE tbl_faq_id = ?");
$stmt->execute([$faq]);

Explanation:

  • Input validation: is_numeric() ensures only numbers are accepted, blocking string-based injection attempts.
  • Prepared statements: The query is separated from data, preventing SQL injection by design.
  • Parameter binding: The value is passed as a parameter, not concatenated into the query.
  • Database abstraction: Using PDO enhances security and portability.

Additionally, developers should:

  • Implement input sanitization using functions like mysqli_real_escape_string() in legacy code.
  • Use whitelist validation—only allow known, safe values (e.g., integers between 1 and 1000).
  • Log and monitor suspicious requests, especially those containing ;, --, or /*.
  • Apply least privilege to database users—never use root or admin accounts for web applications.

Conclusion: Security Must Be Built In, Not Added Later

The FAQ Management System v1.0 serves as a cautionary tale: even simple, seemingly harmless applications can harbor critical vulnerabilities. SQL injection is not a rare edge case—it’s a fundamental security flaw that occurs when developers fail to treat user input as potentially malicious.

By adopting secure coding practices—especially prepared statements and input validation—developers can prevent exploitation before it happens. Security should never be an afterthought; it must be an integral part of every development cycle.