Car Booking System PHP SQL Injection Vulnerability in Contact Component

A SQL injection vulnerability has been identified in Car-Booking-System-PHP version 1.0, specifically within the contact.php file. This vulnerability allows attackers to manipulate SQL queries, potentially leading to unauthorized database access, data exfiltration, modification of information, and in some cases, execution of arbitrary code.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized database access, data manipulation, and in some cases, code execution on the server.

Reproduction

To reproduce this vulnerability, navigate to the contact section of the application. Intercept the request using Burp Suite and send it to the Repeater. Add a SQL injection payload to the 'name' parameter, such as a time-based SQL injection payload that, when executed, will cause a delay in the response time, indicating successful exploitation.

Remediation

To mitigate this vulnerability, use prepared statements and parameter binding to separate SQL code from user input, preventing injection attacks. Additionally, validate and filter user input to ensure it meets expected formats, and minimize database user permissions to limit potential damage from an exploited vulnerability.