SQL INJECTION in 7h3h4ckv157/covid-19-vaccine-registration

Valid

Reported on

Aug 28th 2022

Summary

The user can submit an SQL query directly to the database, gaining access without providing appropriate credentials. Attackers can then view, export, modify, and delete confidential information; change passwords and other authentication information; and possibly gain access to other systems within the network.

Code

<?php

if(isset($_POST['txtName']))
{
$con = mysqli_connect('localhost', 'root', '','db_service');
$txtName = $_POST['txtName'];
$txtAdh = $_POST['txtAdh'];

$sql = "INSERT INTO `tbl_service` (`Id`, `fldName`, `fldAdh`) VALUES ('0', '$txtName', '$txtAdh')";

$rs = mysqli_query($con, $sql);
if($rs)
{
    echo "Registered Succefully";
}}
else
 {
    echo "an error occured";
  }
?>

Impact

  1. Confidentiality: 1 Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
  1. Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.
  1. Authorization: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL Injection vulnerability.
  1. Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL Injection attack.
We are processing your report and will contact the 7h3h4ckv157/covid-19-vaccine-registration team within 24 hours. a year ago
7h3h4ckv157 validated this vulnerability a year ago
Arnold Aldrin has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
7h3h4ckv157 marked this as fixed in 1.1 with commit b2b81c a year ago
7h3h4ckv157 has been awarded the fix bounty
This vulnerability will not receive a CVE
Arnold Aldrin
a year ago

Researcher

@admin assign a CVE please!

Jamie Slome
a year ago

Admin

We have received reports that the activity associated with both of these accounts is coming from the same person.

I can see that @Arnold Aldrin was only created on GitHub two days ago. Please stop all further action of submitting and validating reports immediately and further action will be taken against these accounts.

7h3h4ckv157
a year ago

Maintainer

@Admin actually, it's done for testing purposes. And to be clear, the role of the triager is missing here. I have permission to assign the CVE (by setting yes) but not been done here but have done it from the other account and pick the comparison. I detailed my interest in the "triager" role through https://huntr.dev/contact-us recently and doesn't earn money or any other scam activities (to be clear)

Check out the case, and if it doesn't make sense I'm responsible for the faith. You can check out the message I sent through your contact page. 🤝

Regards,

Jamie Slome
a year ago

Admin

Hello, thank you for clarifying, however, we do not encourage or accept the submission of test reports.

We are not currently looking for triagers but will get in touch via e-mail if we do in the future :)

7h3h4ckv157
a year ago

Maintainer

Thanks a lot, Jamie ❤

I always love to contribute 🤝

to join this conversation