Beauty Salon Management System v1.0 - SQLi

Exploiting SQL Injection in Beauty Salon Management System v1.0: A Deep Dive into a Real-World Vulnerability

SQL Injection (SQLi) remains one of the most prevalent and dangerous web application vulnerabilities, consistently ranking high on the CWE Top 25 list. In April 2023, cybersecurity researcher Fatih Nacar uncovered a critical SQL Injection flaw in the Beauty Salon Management System v1.0, developed by Campcodes—a PHP-based application intended for managing salon operations, appointments, and user access.

Understanding the Vulnerability

The system’s admin login interface at http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php exposes a critical flaw: improper input sanitization in the username and password fields. The application uses MySQLi for database interactions but fails to validate or escape user input, allowing attackers to inject malicious SQL code.

According to CWE-89, this vulnerability falls under “Improper Neutralization of Input During Web Page Generation,” where user-supplied data is directly inserted into SQL queries without proper sanitization. This creates a direct path for attackers to manipulate database queries and bypass authentication.

Exploitation Mechanism: How SQL Injection Bypasses Authentication

Consider the login process: the application likely executes a query like:

SELECT * FROM admins WHERE username = '$username' AND password = '$password'

If the application does not use prepared statements or input validation, an attacker can manipulate the username field to alter the logic of the SQL query. The payload provided by Fatih Nacar demonstrates this flaw effectively:

username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374 ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign In

This payload works by exploiting a boolean-based blind SQL injection technique. The attacker uses a conditional expression (CASE WHEN) to force the query to evaluate to true regardless of the actual username, while the UNION SELECT clause triggers a subquery error that is only triggered if the condition is false.

Here’s what happens step-by-step:

• The admin' part closes the string literal.
• The AND 6374=(SELECT ...) clause forces the database to evaluate whether 6374=6374—which is always true.
• Because the condition is true, the THEN 6374 branch executes, returning a valid number.
• The ELSE (SELECT 6483 UNION SELECT 1671) clause is never executed.
• The -- vqBh comment disables the rest of the query, preventing syntax errors.

As a result, the SQL query evaluates to true, and the system grants access, even though the password is incorrect.

Verification via sqlmap: Confirming the Vulnerability

Using sqlmap, a popular automated SQL injection tool, the vulnerability was confirmed with the following results:

Injection Type	Payload	Explanation
Boolean-based Blind	username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374 ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh	Exploits conditional logic to trigger a boolean response based on query outcome.
Time-based Blind	username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)-- rvYF	Uses SLEEP(5) to delay response, confirming injection via time delay.

These results confirm that the username parameter is vulnerable to both boolean-based and time-based blind injection attacks—indicating that the system is not only vulnerable but also lacks proper error handling or logging, making detection difficult for administrators.

Technical Stack and Risk Assessment

The application runs on:

• PHP 8.2.4 – a modern, widely used scripting language.
• Apache 2.4.56 – a robust web server.
• MySQL >= 5.0.12 (MariaDB fork) – a powerful relational database.

Despite the use of a modern stack, the lack of secure coding practices makes the system highly susceptible to exploitation. The absence of prepared statements or input validation is the root cause.

Best Practices to Prevent SQL Injection

Developers must follow established security principles to avoid such vulnerabilities:

• Use Prepared Statements – Always use parameterized queries instead of string concatenation.
• Input Sanitization – Validate and escape user input before database interaction.
• Least Privilege – Limit database user permissions to only what’s necessary.
• Log and Monitor – Enable logging of suspicious queries and monitor for anomalies.

Here’s an example of a secure login query using MySQLi prepared statements:

$stmt = $mysqli->prepare("SELECT * FROM admins WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$result = $stmt->get_result();

With this approach, the input is treated as data, not executable code—eliminating the possibility of SQL injection.

Impact and Remediation

For the Beauty Salon Management System v1.0, the consequences are severe:

• Unauthorized access to admin panels.
• Full control over user data, appointments, financial records.
• Potential data exfiltration or modification.
• Reputation damage for the vendor (Campcodes).

Remediation steps include:

• Immediate patching of the login form with prepared statements.
• Implementing a web application firewall (WAF) to detect and block SQL injection attempts.
• Conducting a full code audit for other vulnerable endpoints.
• Updating the application to use secure coding standards (e.g., OWASP Top 10).

Conclusion

SQL Injection in the Beauty Salon Management System v1.0 serves as a stark reminder that even seemingly simple applications can harbor critical vulnerabilities. The exploit demonstrates how a single flaw in input handling can lead to full system compromise. Developers must prioritize security from the outset—never assuming that "it’s just a small project" means "it’s safe."

As cyber threats evolve, tools like sqlmap and automated scanners make it easier for attackers to find and exploit flaws. But they also empower defenders to proactively identify and fix vulnerabilities before they are weaponized.