itsourcecode Vehicle Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Vehicle Management System Project version 1.0, specifically within the billaction.php file. The issue arises from the application's billing feature, which processes trip costs but lacks proper security measures to validate user input. The vulnerability allows remote exploitation without authentication, as the id parameter can be manipulated through a GET request. This unvalidated input is directly concatenated into an SQL INSERT statement, creating an opportunity for attackers to inject malicious SQL code.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to billaction.php with a crafted id parameter that includes SQL injection payloads. The injection can be boolean-based blind, error-based, or time-based blind, taking advantage of how the application processes the input without proper sanitization.

Remediation

To address this vulnerability, it is recommended to use prepared statements and parameterized queries to prevent SQL injection. Additionally, implement session validation to ensure that only authenticated users can access the billaction.php script.