Open in app

Sign in

Write

Sign in

CVE-2024–30990: SQL Injection Vulnerability in Invoices Page of Client Management System using PHP & MySQL 1.1 by Phpgurukul

Shanu Nirwan
2 min readApr 3, 2024

--

Introduction: SQL Injection vulnerabilities pose a significant threat to the security of web applications, allowing attackers to execute arbitrary SQL queries and potentially gain unauthorized access to sensitive data. Today, I uncover a SQL Injection vulnerability discovered in the Invoices page of the Client Management System using PHP & MySQL 1.1 developed by Phpgurukul. This vulnerability, identified as CVE-2024–30990, enables attackers to execute arbitrary SQL queries via the “searchdata” parameter.

Description: The SQL Injection vulnerability in the Invoices page of the Client Management System occurs due to insufficient input validation in the “searchdata” parameter. Attackers can inject malicious SQL payloads into this parameter.

CVE Identifier: CVE-2024–30990 has been assigned to this vulnerability, providing a standardized reference for tracking and addressing the issue. This identifier facilitates collaboration among cybersecurity professionals and enables affected parties to take appropriate measures to mitigate the risk.

Proof of Concept (POC): To exploit this vulnerability, attackers can follow these steps:

  1. Navigate to the Invoices page within the Client Management System.
  2. In the “searchdata” parameter, inject the following SQL payload:
"' AND (SELECT 7454 FROM (SELECT(SLEEP(5)))LuAJ) AND 'awFV'='awFV"

3. Observe a delay of 5 seconds in the response, indicating successful exploitation of the vulnerability.

Note that, we have performed the Blind Time Based SQLi here for just the sake of POC. Alternatively, you can perform a proper attack to exploit the vulnerability either Manually or you can Automate the process by using tools like SQLMap.

Affected Component: The SQL Injection vulnerability affects the “searchdata” parameter in the Invoices page of the Client Management System.

Conclusion: CVE-2024–30990 underscores the importance of robust input validation and security best practices in web application development. By addressing vulnerabilities like SQL Injection, we can enhance the security posture of our digital infrastructure and protect against potential exploitation by malicious actors.

Reference:

Client Management System Project using PHP & MySQL - PHPGurukul

Free Download Client Management System Project using PHP & MySQL with source code,Client Management System Project Free…

phpgurukul.com

Thank You For Reading!

By: Shanu Nirwan

--

--

Shanu Nirwan

Written by Shanu Nirwan

1 Follower

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams