Valid

Reported on

Aug 28th 2022


Summary

The user can submit an SQL query directly to the database, gaining access without providing appropriate credentials. Attackers can then view, export, modify, and delete confidential information; change passwords and other authentication information; and possibly gain access to other systems within the network.

Code

<?php

if(isset($_POST['txtName']))
{
$con = mysqli_connect('localhost', 'root', '','db_service');
$txtName = $_POST['txtName'];
$txtAdh = $_POST['txtAdh'];

$sql = "INSERT INTO `tbl_service` (`Id`, `fldName`, `fldAdh`) VALUES ('0', '$txtName', '$txtAdh')";

$rs = mysqli_query($con, $sql);
if($rs)
{
    echo "Registered Succefully";
}}
else
 {
    echo "an error occured";
  }
?>

Impact

  1. Confidentiality: 1 Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
  1. Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.
  1. Authorization: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL Injection vulnerability.
  1. Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL Injection attack.
We are processing your report and will contact the 7h3h4ckv157/covid-19-vaccine-registration team within 24 hours. a month ago
Kiran PP validated this vulnerability a month ago
Arnold Aldrin has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Kiran PP confirmed that a fix has been merged on b2b81c a month ago
Kiran PP has been awarded the fix bounty
Arnold Aldrin
a month ago

Researcher


@admin assign a CVE please!

Jamie Slome
24 days ago

Admin


We have received reports that the activity associated with both of these accounts is coming from the same person.

I can see that @Arnold Aldrin was only created on GitHub two days ago. Please stop all further action of submitting and validating reports immediately and further action will be taken against these accounts.

Kiran PP
24 days ago

Maintainer


@Admin actually, it's done for testing purposes. And to be clear, the role of the triager is missing here. I have permission to assign the CVE (by setting yes) but not been done here but have done it from the other account and pick the comparison. I detailed my interest in the "triager" role through https://huntr.dev/contact-us recently and doesn't earn money or any other scam activities (to be clear)

Check out the case, and if it doesn't make sense I'm responsible for the faith. You can check out the message I sent through your contact page. 🤝

Regards,

Jamie Slome
23 days ago

Admin


Hello, thank you for clarifying, however, we do not encourage or accept the submission of test reports.

We are not currently looking for triagers but will get in touch via e-mail if we do in the future :)

Kiran PP
23 days ago

Maintainer


Thanks a lot, Jamie ❤

I always love to contribute 🤝

to join this conversation