In today's cybersecurity landscape, SQL injection vulnerabilities are a common yet critical attack method that can potentially expose sensitive data or even lead to complete system compromise. The goal of this post is to shed light on a vulnerability identified in Sourcecodester Stock Management System v1., assigned the CVE ID: CVE-2024-36779. We will describe the exploitation process, highlighting key sections of the source code, discussing the required tools, and guiding you through the steps to successfully exploit this vulnerability.
The Sourcecode
Stock Management System v1. is a web-based application developed to help businesses manage their inventory. It is known to be vulnerable to SQL injection due to insufficient input validation and parameterization in the "editCategories.php" file.
The vulnerable portion of the source code is as follows
<?php
// ..
if(ISSET($_POST['edit'])){
$category = $_POST['category'];
$query = $conn->query("SELECT * FROM category WHERE category = '$category'") or die(mysqli_error());
$valid = $query->num_rows;
if($valid > ){
echo "<script>alert('Category already exist!')</script>";
}else{
$conn->query("INSERT INTO category VALUES('', '$category')") or die(mysqli_error());
echo "<script>window.location = 'category.php'</script>";
}
}
?>
As seen above, the code directly queries the database by concatenating the user input ($_POST['category']) into the SQL query without any form of validation or sanitization. An attacker can craft a malicious POST request with manipulated input parameters to inject their SQL queries and obtain sensitive data from the application.
Exploit Details
To exploit this vulnerability, the attacker takes advantage of the unsanitized user input and injects their SQL payloads. An example payload could be ' OR '1'='1 which, when executed, allows the attacker to bypass any authentication checks performed through the vulnerable code.
The following is a cURL command that simulates the exploit
curl -X POST -d "category=' OR '1'='1" http://target.com/editCategories.php
Successful exploitation of this vulnerability could result in sensitive data exposure, including usernames, hashed passwords, and other confidential information. Attackers could also potentially modify or delete data, and execute administrative actions to further compromise the system.
How to Protect Yourself
To protect against SQL injection attacks, it is important to implement proper input validation, escaping, and parameterization in your code.
In this particular case, using prepared statements is a recommended solution. Here's an example
<?php
if(ISSET($_POST['edit'])){
$category = $_POST['category'];
$stmt = $conn->prepare("SELECT * FROM category WHERE category = ?");
$stmt->bind_param("s", $category);
$stmt->execute();
$result = $stmt->get_result();
$valid = $result->num_rows;
if($valid > ){
echo "<script>alert('Category already exist!')</script>";
}else{
$stmt_insert = $conn->prepare("INSERT INTO category VALUES('', ?)");
$stmt_insert->bind_param("s", $category);
$stmt_insert->execute();
echo "<script>window.location = 'category.php'</script>";
}
}
?>
Additionally, make sure to keep your software up-to-date and to apply security patches from reputable sources.
Original References
- CVE-2024-36779
- Stock Management System v1.
Conclusion
SQL injection is a pervasive issue in web application security, and understanding how to both exploit and protect against it is crucial for developers and security team members alike. By thoroughly examining your application code, implementing secure input handling techniques, and staying informed of the latest trends and vulnerabilities, you can work towards safeguarding your applications from such threats.
Timeline
Published on: 06/06/2024 13:15:31 UTC
Last modified on: 08/20/2024 16:35:20 UTC