Code-Projects Hotel and Tourism Reservation System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in the Hotel and Tourism Reservation System version 1.0. The issue arises in the 'tour' GET parameter of the 'tour.php' file, where user input is directly interpolated into SQL queries without any sanitization or validation. This vulnerability allows unauthenticated remote attackers to manipulate SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability was confirmed by using sqlmap to extract the entire database.

Impact

Exploitation of this vulnerability allows attackers to extract, modify, or delete any data in the database. This includes sensitive information such as user credentials, emails, phone numbers, and reservation details. Additionally, extracted admin credentials could be used to bypass authentication. If the database user has file privileges, attackers could potentially execute arbitrary code by writing a payload to a file using the 'INTO OUTFILE' SQL command.

Reproduction

To reproduce this vulnerability, install the Hotel and Tourism Reservation System 1.0 on a server with XAMPP. Access the application and navigate to 'tour.php' while unauthenticated, using a URL that includes a crafted 'tour' parameter. Inject a single quote to disrupt the SQL query, confirming that the input is not properly sanitized. After verifying the vulnerability, use a boolean-based payload to exploit the SQL injection, and finally, employ sqlmap to dump the entire database.

Remediation

The vulnerability can be remediated by using prepared statements to handle SQL queries, which prevents injection by separating SQL logic from data. Instructions for implementing this fix are available on the official PHP documentation website.