Petrol Pump Management Software v.1.0 - SQL Injection

Exploit Author: Shubham Pandey Analysis Author: www.bubbleslearn.ir Category: Remote Language: PHP Published Date: 2024-03-03 
# Exploit Title: Petrol Pump Management Software v.1.0 - SQL Injection
# Date: 01-03-2024
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-27746
# Description: SQL Injection vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email address parameter in the index.php component.
# POC:
1. Here we go to : http://localhost/fuelflow/index.php
2. Now login with username: test@test.com';SELECT SLEEP(10)# and
Password=test
3. Page will load for 10 seconds because of time-based sql injection
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27746.md


Petrol Pump Management Software v.1.0 — SQL Injection (CVE-2024-27746)

Summary: Petrol Pump Management Software v.1.0 contains a SQL injection vulnerability in its authentication component that allows an attacker to manipulate SQL queries via the email parameter. The issue has been tracked as CVE-2024-27746. Successful exploitation can allow attackers to enumerate data, bypass authentication, or execute time‑based techniques to confirm injection vectors. This article explains the vulnerability at a high level, describes safe testing practices, and provides concrete remediation and hardening guidance for developers and administrators.

What is SQL Injection (high level)

SQL injection is a class of injection flaws where untrusted input is incorporated into a database query in an unsafe manner. When user-supplied values are directly concatenated into SQL statements, an attacker can manipulate the resulting query structure. Variants include error-based, union-based, boolean-based, and time-based techniques, depending on how the application and database respond.

Why this vulnerability matters

  • Authentication bypass: Attackers can modify login queries and potentially log in as other users.
  • Data disclosure or modification: Unsanitized queries may expose or alter sensitive records (customers, transactions, fuel logs).
  • Application compromise: In some environments, SQL injection can be escalated to command execution or further pivoting.
  • Compliance and trust: Data breaches impact regulatory compliance and user trust for fuel station operators.

Technical summary (non-actionable)

The vulnerable component accepts an email parameter in the authentication flow and incorporates it into a SQL statement without proper parameterization. The vulnerability enables time-based confirmation techniques — i.e., an attacker can cause the database to introduce observable delays to confirm the presence of an injectable parameter. This is an indicator of classic SQLi rather than an application-specific logic bug.

Safe testing and responsible disclosure

  • Only test on systems you own or where you have explicit authorization. Unauthorized testing is illegal and unethical.
  • Use isolated test environments that mirror production, with representative data sanitized for privacy.
  • Prefer non-destructive methods (passive scanning, safe queries) before any intrusive checks.
  • If you discover a vulnerability in a third‑party product, follow coordinated disclosure: contact the vendor, provide reproduction steps on a secure channel, and allow time for a fix before publishing details.

How to fix: defensive coding and architecture

The single best protection against SQL injection is to stop directly concatenating user input into SQL queries. Use parameterized queries (prepared statements), proper password handling, and database least privilege. Below are secure examples and explanations for PHP environments commonly used by this application.

Insecure pattern (example)

// Insecure: concatenating user input into SQL (do not use)
$email = $_POST['email'];
$password = $_POST['password'];
$sql = "SELECT * FROM users WHERE email = '$email' AND password = '$password'";
$result = mysqli_query($conn, $sql);

Explanation: This pattern interpolates untrusted input directly into SQL text. An attacker can change SQL syntax by submitting crafted input, altering the query's structure. It also implies passwords may be stored or compared in cleartext, which is insecure.

Secure fix — use PDO with prepared statements and password hashing

// Secure: PDO prepared statements + password hashing
$dsn = 'mysql:host=localhost;dbname=fuel_app;charset=utf8mb4';
$pdo = new PDO($dsn, $dbUser, $dbPass, [
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_EMULATE_PREPARES => false,
]);

$email = $_POST['email'] ?? '';
$password = $_POST['password'] ?? '';

// Retrieve the user record by email using a prepared statement
$stmt = $pdo->prepare('SELECT id, password_hash, role FROM users WHERE email = :email LIMIT 1');
$stmt->execute([':email' => $email]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);

if ($user && password_verify($password, $user['password_hash'])) {
    // Successful authentication: set session, etc.
} else {
    // Authentication failed
}

Explanation: This code uses PDO prepared statements so the email is sent to the database as a parameter, not concatenated into the SQL. The database treats it as data, preventing query manipulation. Passwords are validated with password_verify() against a stored password hash (created with password_hash()), so raw passwords are never compared or stored.

Secure fix — MySQLi prepared statement example

// Secure: MySQLi prepared statement + password hashing
$stmt = $mysqli->prepare('SELECT id, password_hash FROM users WHERE email = ? LIMIT 1');
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->bind_result($id, $password_hash);
if ($stmt->fetch() && password_verify($password, $password_hash)) {
    // Authenticated
}
$stmt->close();

Explanation: The MySQLi prepared statement uses placeholders and separate parameter binding. This ensures the email parameter cannot change SQL syntax. The password check uses secure hashing APIs.

Additional coding best practices

  • Use parameterized queries for every database interaction, not just authentication.
  • Store passwords with strong, adaptive hashing algorithms (bcrypt via password_hash(), Argon2 if available).
  • Enable database error logging but avoid exposing detailed SQL errors to end users.
  • Set PDO::ATTR_EMULATE_PREPARES to false where possible to enforce native prepared statements.

Operational and architectural mitigations

  • Database least privilege: application DB user should only have the minimum rights needed (SELECT/INSERT/UPDATE as required), not administrative privileges.
  • Input validation: enforce strict formats for expected fields (email patterns, max length), but treat validation as defense-in-depth — it is not a substitute for prepared statements.
  • Output encoding: encode data that is rendered in HTML/JS contexts to prevent injection elsewhere.
  • Rate limiting and login throttling: protect authentication endpoints from brute-force and automated probing.
  • Web Application Firewall (WAF): can provide additional protection and alerting for suspicious input patterns.
  • Logging and monitoring: implement comprehensive logs for authentication attempts and unusual query performance (sudden delays may indicate abuse).

Testing and verification (safe approach)

To verify fixes in a controlled environment:

  • Run application tests that simulate invalid input and assert no SQL errors or unexpected behavior.
  • Perform authenticated and unauthenticated code review focused on query construction sites.
  • Use automated static analysis and dynamic scanners in staging, ensuring you have permission and the right scope for tests.
  • Perform unit and integration tests that confirm prepared statements are used and password hashing is applied.

Incident response and disclosure

If you are an administrator of a deployed instance and suspect exploitation:

  • Isolate the affected system and preserve logs for forensic review.
  • Rotate credentials used by the application to access the database.
  • Apply the patch or the mitigations above, then validate in a staging environment before reintroducing to production.
  • Notify affected stakeholders and follow applicable breach notification obligations.

Remediation checklist

TaskRecommended action
Eliminate SQLiParameterize all queries; remove direct concatenation of user input
Password storageMigrate to strong hashing (password_hash/password_verify)
Principle of least privilegeRestrict DB user rights; rotate credentials
Input validationEnforce length and format checks; use allow-lists
MonitoringLog auth attempts, set alerts on unusual latency or query patterns
Patch mgmtKeep frameworks, DBMS, and libraries up to date; subscribe to vendor advisories

References and further reading

  • CVE-2024-27746 — vendor advisory or security researcher writeups (search vendor/security databases)
  • OWASP SQL Injection and Authentication Cheat Sheets — defensive coding patterns
  • PHP: PDO and password_hash / password_verify documentation — secure APIs for DB and passwords

By implementing the coding and operational controls above, developers and administrators can mitigate SQL injection risks in Petrol Pump Management Software and similar PHP/MySQL applications. Focus first on parameterized queries and proper password handling, then harden the environment with least privilege, monitoring, and testing processes.