PHPGurukul Blood Bank and Donor Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul Blood Bank & Donor Management System version 2.4. The issue resides in the file '/admin/request-received-bydonar.php', where the 'searchdata' parameter is manipulated, leading to unauthorized database access. This vulnerability allows attackers to inject malicious SQL queries, bypassing authentication and exploiting the database without proper authorization. The lack of input validation on the 'searchdata' parameter enables this injection, which could be exploited remotely.

Impact

Exploitation of this vulnerability allows for unauthorized database access, manipulation of data, execution of administrative operations, and potential disruption of services.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/bbdms/admin/request-received-bydonar.php' with a crafted 'searchdata' parameter. This parameter can be exploited using time-based blind SQL injection techniques, such as appending a SQL injection payload that utilizes the 'SLEEP' function to create a delay, indicating successful exploitation. Additionally, the vulnerability can be exploited using a UNION-based SQL injection payload to extract database information.

Remediation

It is recommended to implement prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be applied to ensure that user input conforms to expected formats, blocking malicious data. Minimizing database user permissions is also advised, ensuring that the database account used has only the necessary privileges.