Restaurant Website Restoran SQL Injection Vulnerability

A time-based blind SQL injection vulnerability has been identified in Restaurant Website Restoran version 1.0, specifically on the Contact Form page. This vulnerability allows attackers to execute unauthorized database queries and manipulate data. The issue arises in the 'contact.php' file, where several fields, including name, email, subject, and message, can be exploited to inject malicious SQL payloads.

Impact

Exploitation of this vulnerability could lead to unauthorized access to database information, manipulation or deletion of data, bypassing authentication mechanisms, and potentially executing code on the server.

Reproduction

To reproduce this vulnerability, navigate to the Contact Form page of the Restaurant Website Restoran application. Fill out the form with valid information, then intercept the request using Burp Suite. Send the intercepted request to the Repeater tool and inject a payload that exploits the SQL injection vulnerability, such as a time-based blind SQL injection payload that, for example, uses the 'sleep' function to create a delay in the response. After sending the payload, observe the response for a delay, which indicates successful exploitation.

Remediation

To address this vulnerability, implement input validation and sanitization, escape user input, and use parameterized queries to prevent SQL injection attacks.