CVE-2024–30985: SQL Injection Vulnerability in Client Management System using PHP & MySQL 1.1 by Phpgurukul

Introduction: In today’s digital age, cybersecurity vulnerabilities pose a significant threat to the integrity and security of digital systems. Today, I unveil a critical vulnerability discovered in the Client Management System using PHP & MySQL 1.1 developed by Phpgurukul. This vulnerability, identified as CVE-2024–30985, exposes the system to SQL Injection attacks, enabling attackers to execute arbitrary SQL commands via the “todate” and “fromdate” parameters.

Overview: The vulnerability resides in the “B/W Dates Reports” feature of the Client Management System, where inadequate input validation allows attackers to execute malicious SQL commands via the “todate” and “fromdate” parameters. By exploiting this vulnerability, attackers can manipulate the system’s behavior, potentially accessing sensitive data or executing arbitrary code.

CVE Identifier: CVE-2024–30985 has been assigned to this vulnerability, providing a standardized reference for tracking and addressing the issue. This identifier facilitates collaboration among cybersecurity professionals and enables affected parties to take appropriate measures to mitigate the risk.

Description: The SQL Injection vulnerability in the Client Management System arises due to insufficient input validation in the “todate” and “fromdate” parameters within the “/admin/bwdates-reports-details.php” file.

Proof of Concept (POC): To exploit this vulnerability, attackers can follow these steps:

1. Navigate to the “B/W Dates Reports” page within the Client Management System.
2. In the “todate” and “fromdate” parameters, inject the following payload:

"' AND (SELECT 5881 FROM (SELECT(SLEEP(5)))MYjI) AND 'xUhf'='xUhf"

3. Click on the relevant button or submit the form to trigger the SQL Injection attack.

4. The page will experience a delay of approximately 5 seconds, indicating a successful exploitation of the vulnerability.

Note that, we have performed the Blind Time Based SQLi here for just the sake of POC. Alternatively, you can perform a proper attack to exploit the vulnerability either Manually or you can Automate the process by using tools like SQLMap.

Affected Component: The SQL Injection vulnerability affects the “todate” and “fromdate” parameters within the “/admin/bwdates-reports-details.php” file of the Client Management System.

Conclusion: CVE-2024–30985 underscores the critical importance of robust security practices in software development and deployment. By addressing vulnerabilities like SQL Injection in the Client Management System, we can enhance the security posture of our digital infrastructure and mitigate the risk of exploitation. Let us remain vigilant in our efforts to protect sensitive data and uphold the integrity of our systems.

Reference:

Client Management System Project using PHP & MySQL - PHPGurukul

Thank You For Reading!

By: Shanu Nirwan