CVE-2018-25161

Vulnerability

Details

Warranty Tracking System version 11.06.3 suffers from a classical SQL injection vulnerability in the SearchCustomer.php script. The root cause is that user-supplied input from the txtCustomerCode, txtCustomerName, and txtPhone POST parameters is directly concatenated into SQL queries without proper sanitization or parameterization. As shown in the source code, lines 85, 88, and 91 build a WHERE clause by appending the raw user input using string interpolation, and the resulting query is executed via the insecure mysql_query() function [1].

Exploitation

Prerequisites and Method

An attacker can exploit this vulnerability by sending a crafted HTTP POST request to the vulnerable endpoint. No prior authentication is required, as the search functionality is accessible to unauthenticated users. The exploit involves injecting a single quote (') to break out of the string context, followed by a UNION SELECT statement to retrieve arbitrary data from the database. The provided proof-of-concept demonstrates exfiltration of the current database user, database name, and MySQL version by leveraging the USER(), DATABASE(), and VERSION() functions [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries, leading to unauthorized access to sensitive information stored in the underlying database. This can include user credentials, customer records, and other application data. The CVSS v3 base score is 8.2 (High), reflecting the low complexity and network-based attack vector without authentication requirements.

Mitigation

Status

As of the report date (November 2018), no patch has been released, and the vendor appears to have discontinued the product. Users are strongly advised to migrate to an alternative solution or implement a web application firewall (WAF) rule to block SQL injection payloads.