CVE-2022-36731 Library Management System v1.0 had a SQL injection vulnerability via the RollNo parameter.

An attacker can leverage this issue to execute arbitrary SQL commands against the application. In such a scenario, an attacker could poison a database, make changes to critical data, or even gain access to the database and use it to issue other attacks. A review of the application code showed that it was possible to inject malicious code via a parameter in the RollNo parameter of the /librarian/delstu.php end point. An examplejection sequence can be seen below. In the above example, an injection point exists at the ‘RollNo’ parameter. The application accepts ‘RollNo’ as a parameter for the ‘delstu’ command. If an attacker sends a request with the value of ‘1’ for the ‘RollNo’ parameter, the application will execute a SQL command that will delete all records from the ‘Session’ table. An attacker can send requests with the value of ‘1’ to delete all records from the ‘Session’ table. An attacker can also send requests with the value of ‘2’ to delete all records from the ‘Library’ table. An attacker can also send requests with the value of ‘3’ to delete all records from the ‘Lists’ table. Another injection point exists in the /librarian/delstu.php end point. If an attacker sends a request with the value of ‘1’ for

Vulnerability Proof of Concept (PoC) #include

Vulnerability Discovery: Find the injection point and the SQL command

The injection point for this vulnerability is the ‘RollNo’ parameter. The application accepts ‘RollNo’ as a parameter for the ‘delstu’ command. If an attacker sends a request with the value of ‘1’ for the ‘RollNo’ parameter, the application will execute a SQL command that will delete all records from the ‘Session’ table. An attacker can send requests with the value of ‘1’ to delete all records from the ‘Session’ table. An attacker can also send requests with the value of ‘2’ to delete all records from the ‘Library’ table. Another injection point exists in the /librarian/delstu.php end point. If an attacker sends a request with the value of ‘1’ forthe RollNo parameter, we will execute a SQL command that will delete all records from both tables (Session and Library).

Timeline

Published on: 08/30/2022 21:15:00 UTC
Last modified on: 09/01/2022 07:00:00 UTC

References

• https://github.com/k0xx11/bug_report/blob/main/vendors/kingbhob02/library-management-system/SQLi-21.md
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36731