Online Nurse Hiring System 1.0 - Time-Based SQL Injection

Online Nurse Hiring System 1.0 – Time-Based SQL Injection Vulnerability Analysis

Security vulnerabilities in web applications remain a persistent threat, especially in systems that rely on dynamic database interactions. The Online Nurse Hiring System 1.0, developed by phpgurukul.com, exemplifies how even seemingly simple PHP-based applications can expose critical flaws when input validation is neglected. This article delves into a specific exploit discovered on the book-nurse.php endpoint, where the bookid parameter is susceptible to time-based SQL injection.

Understanding Time-Based SQL Injection

Time-based SQL injection is a stealthy form of attack that leverages the database's response time to infer information about the underlying system. Unlike classic boolean-based or error-based SQLi, it does not rely on visible errors or direct output; instead, it exploits the SLEEP() function in MySQL to artificially delay responses.

When a malicious payload containing SLEEP(5) is injected, the database pauses for the specified duration—typically 5 seconds—before returning a result. This delay can be detected by the attacker through timing analysis, confirming the presence of a vulnerability.

Exploit Details: The bookid Parameter Vulnerability

The vulnerability exists in the book-nurse.php page, which allows users to book nurse services. The bookid parameter is used to identify the booking record, but it is improperly sanitized before being passed to the SQL query.

According to the exploit report, the following payload triggers a time delay:

1'+AND+(SELECT+2667+FROM+(SELECT(SLEEP(5)))RHGJ)+AND+'vljY'%3d'vljY

This payload is encoded for URL transmission and decoded as:

1' AND (SELECT 2667 FROM (SELECT(SLEEP(5)))RHGJ) AND 'vljY' = 'vljY'

Let’s break it down:

• 1' – Begins the SQL injection by closing the initial string value.
• AND (SELECT 2667 FROM (SELECT(SLEEP(5)))RHGJ) – This is the core payload. The SLEEP(5) function forces the MySQL server to pause for 5 seconds.
• AND 'vljY' = 'vljY' – A redundant condition to maintain syntactic validity, ensuring the query remains logically true.

Because the SLEEP() function is executed within a nested subquery, it effectively causes a delay in the database response. This delay is measurable by the client, confirming the vulnerability.

Proof of Concept: Real-World Testing

The exploit was tested on a local environment using Kali Linux 6.1.27-1kali1 and XAMPP 7.4.30. The request was sent via POST to /onhs/book-nurse.php?bookid=1'+AND+(SELECT+2667+FROM+(SELECT(SLEEP(5)))RHGJ)+AND+'vljY'%3d'vljY with a form payload containing dummy contact details.

Key observations:

Request	Response Time	Outcome
Valid bookid (e.g., 1)	≈ 0.5 seconds	Normal response
Malicious payload with SLEEP(5)	≈ 5.0 seconds	Confirmed time delay

The significant increase in response time (from 0.5 to 5 seconds) is a clear indicator of successful injection. This behavior confirms that the application is vulnerable to time-based SQL injection.

Why This Is Dangerous

Time-based SQL injection may seem less immediate than error-based attacks, but it poses a real threat. It allows attackers to:

• Confirm the presence of a SQL injection vulnerability without triggering error messages.
• Exfiltrate sensitive data by using time delays to infer the existence of database columns, table names, or even specific values.
• Perform blind attacks in environments where error messages are disabled or suppressed.

For example, an attacker could use a series of payloads with SLEEP(5) and conditional logic based on column existence (e.g., IF(COLUMN_EXISTS, SLEEP(5), 0)) to slowly reconstruct the database schema.

Root Cause and Remediation

The vulnerability stems from a lack of input sanitization and improper use of dynamic SQL queries. The system likely constructs the query as:

SELECT * FROM bookings WHERE bookid = '$bookid'

Without proper escaping or parameterized queries, user input is directly embedded into the SQL statement, opening the door to injection.

Recommended fixes:

• Use prepared statements (e.g., PDO::prepare() or mysqli_stmt_prepare()) to separate SQL logic from user input.
• Implement strict input validation: only allow numeric values for bookid and reject non-numeric input.
• Disable or restrict the use of SLEEP() and other time-delay functions in production environments.
• Log and monitor suspicious queries to detect potential attacks.

For instance, a secure version of the query would look like:

$stmt = $pdo->prepare("SELECT * FROM bookings WHERE bookid = ?");
$stmt->execute([$bookid]);

This approach prevents any SQL injection, including time-based variants, by ensuring the input is treated as data, not executable code.

Broader Implications

While the Online Nurse Hiring System 1.0 is a small-scale application, it reflects a broader trend: many open-source or educational PHP projects lack robust security practices. This vulnerability highlights the need for:

• Security audits before deployment.
• Regular updates and patching.
• Developer education on secure coding standards.

Even systems designed for learning can become targets if deployed in real-world environments without proper safeguards.

Conclusion

The time-based SQL injection exploit on the book-nurse.php page is a textbook example of how inadequate input handling can compromise database integrity. While it may not immediately leak data, it enables attackers to probe the system and eventually extract sensitive information. Developers must prioritize secure coding practices—especially parameterized queries and input validation—to prevent such vulnerabilities.

Security is not optional; it’s foundational. In systems handling medical or personal data, such as nurse hiring platforms, a single flaw can lead to data breaches with serious consequences.