Blood Bank Management System 10, SQL Injection, CVE-2025-3308 (Critical)

How CVE-2025-3308 Works

The vulnerability exists in the `/viewrequest.php` file of Blood Bank Management System 1.0 where user-supplied input through the `ID` parameter is directly concatenated into SQL queries without proper sanitization. Attackers can craft malicious SQL payloads to manipulate database queries, enabling unauthorized data access, modification, or deletion. The flaw has a CVSS 4.0 score of 6.9 (MEDIUM) with network-based attack vector (AV:N), low attack complexity (AC:L), and no privileges required (PR:N). Exploitation occurs when specially crafted HTTP requests containing SQL injection payloads are sent to the vulnerable endpoint, allowing arbitrary SQL command execution under the application’s database context.

DailyCVE Form

Platform: Blood Bank Management System
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 04/08/2025

What Undercode Say:

Exploitation:

GET /viewrequest.php?ID=1'+UNION+SELECT+1,2,3,4,5,6,7,8,9,version(),11--+- HTTP/1.1
Host: target.com

Detection Command:

sqlmap -u "http://target.com/viewrequest.php?ID=1" --risk=3 --level=5

Mitigation Code (PHP):

$id = mysqli_real_escape_string($conn, $_GET['ID']);
$query = "SELECT FROM requests WHERE id = '$id'";

WAF Rule:

location ~ viewrequest.php {
deny ~[\;\'\"]+ID=;
}

Database Patch:

REVOKE DELETE PERMISSION FROM webapp_user;

Log Analysis:

grep '/viewrequest.php' access.log | egrep -i 'union|select|sleep|benchmark'

Backup Verification:

mysqldump -u admin -p bloodbank_db > backup_$(date +%F).sql

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-3308
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram