Equipment Rental Script-1.0 - SQLi

Equipment Rental Script-1.0 SQL Injection Vulnerability: A Deep Dive into Exploitation and Remediation

Security researchers have recently uncovered a critical SQL injection vulnerability in the Equipment Rental Script-1.0 by PHPJabbers, a widely used open-source rental management platform. This flaw, identified by nu11secur1ty on September 12, 2023, exposes the application to full database compromise through a simple yet powerful payload targeting the package_id parameter.

Understanding the Vulnerability

The core issue lies in improper input validation and lack of parameterized queries within the application’s backend. When a user submits a request via POST with the package_id parameter, the script directly incorporates user input into SQL statements without sanitization or escaping.

For instance, the following malicious payload was successfully tested:

package_id=(-4488))) OR 1 GROUP BY CONCAT(0x71787a6a71,(SELECT (CASE WHEN (7794=7794) THEN 1 ELSE 0 END)),0x7176717671,FLOOR(RAND(0)*2)) HAVING MIN(0)#from(select(sleep(20)))a)&cnt=2&date_from=12/9/2023&hour_from=11&minute_from=00&date_to=12/9/2023&hour_to=12&minute_to=00

This payload exploits MySQL’s error-based SQL injection technique, specifically leveraging the FLOOR(RAND(0)*2) function in a GROUP BY clause. When the database attempts to execute this malformed query, it triggers a duplicate entry error, which is then returned to the attacker in the response.

Such errors can reveal sensitive information like table names, column structures, and even database version details—critical data for further exploitation.

How the Attack Works: Step-by-Step

• Input Injection: The attacker sends a crafted package_id value that includes SQL syntax, such as OR 1 and GROUP BY clauses.
• SQL Parsing: The application fails to sanitize this input, directly embedding it into a SQL query.
• Error Generation: The MySQL server detects a duplicate key during FLOOR(RAND(0)*2) execution, which causes a crash and returns an error message.
• Information Leakage: The error message contains hints about internal database structure, allowing attackers to map out tables and columns.
• Exfiltration: Using the discovered schema, attackers can craft further payloads to extract data via UNION SELECT or sleep() techniques.

Real-World Impact and Risks

Given that Equipment Rental Script-1.0 is used by small businesses, rental companies, and service providers, a successful SQL injection attack could lead to:

• Data theft: Full access to customer records, payment details, rental history, and user credentials.
• System compromise: Unauthorized access to administrative accounts and backend controls.
• Reputation damage: Breaches of customer privacy can result in legal action, fines, and loss of trust.
• Malware deployment: If the database is compromised, attackers may inject malicious scripts or backdoors.

For example, if an attacker retrieves the table name users and column password_hash, they could use a UNION SELECT query to extract all hashed passwords:

SELECT * FROM users WHERE package_id = '1' UNION SELECT password_hash FROM users

While this specific payload is not shown in the original report, it demonstrates how error-based injection can evolve into full data extraction.

Security Best Practices and Remediation

To prevent such vulnerabilities, developers must implement strict input validation and use prepared statements (parameterized queries) instead of concatenating user input directly into SQL.

Here is a corrected, secure version of the vulnerable code:

// Vulnerable (Incorrect)
$query = "SELECT * FROM packages WHERE id = " . $_POST['package_id'];

// Secure (Correct)
$stmt = $pdo->prepare("SELECT * FROM packages WHERE id = ?");
$stmt->execute([$_POST['package_id']]);

Explanation: The corrected code uses prepare() and execute() to bind user input as a parameter, ensuring the database treats it as data—not executable code. This eliminates the risk of SQL injection, regardless of the input value.

Additional Mitigation Strategies

Strategy	Description
Input Sanitization	Validate that package_id contains only numeric values using filter_var() or regex.
Rate Limiting	Implement throttling to prevent repeated injection attempts.
WAF Integration	Use a Web Application Firewall (WAF) to detect and block SQLi patterns.
Logging & Monitoring	Track abnormal SQL queries and database errors for early detection.

Conclusion: Proactive Defense is Key

SQL injection remains one of the most prevalent and dangerous vulnerabilities in web applications. The Equipment Rental Script-1.0 case serves as a stark reminder that even seemingly simple input fields can become attack vectors if not properly secured.

System administrators and penetration testers must prioritize:

• Regular vulnerability scanning using tools like SQLMap or Burp Suite.
• Code review with security-focused standards (e.g., OWASP Top 10).
• Updating third-party software promptly—especially when a CVE is reported.

By adopting secure coding practices and continuous monitoring, organizations can significantly reduce the risk of data breaches and maintain trust in their digital services.