SourceCodester Garage Management System login.php sql injection

Vulnerability

The Garage Management System version 1.0 by SourceCodester contains a critical SQL injection vulnerability in the login page (/login.php). The username POST parameter is directly concatenated into SQL queries without proper sanitization. By submitting a specially crafted payload such as 1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT, an attacker can inject arbitrary SQL commands. The vulnerability is present in version 1.0 as disclosed in the public exploit [1].

Exploitation

An attacker can exploit this vulnerability remotely without any prior authentication. The attack involves sending a POST request to /login.php with a malicious username parameter. The public proof-of-concept (POC) demonstrates a time-based blind SQL injection technique using the SLEEP() function to confirm injection. Tools like sqlmap can automate the exploitation. A sample request is provided in [1], showing the exact payload and HTTP headers needed.

Impact

Successful exploitation allows an attacker to extract arbitrary data from the underlying MySQL database, including but not limited to user credentials, session tokens, and other sensitive information stored by the application. The injection is blind, meaning data extraction is performed via time-based inference. Given the critical severity classification, the attacker can gain access to the application's backend data, potentially leading to privilege escalation or further system compromise.

Mitigation

As of the publication date (2022-07-19), no official patch has been released by SourceCodester. The vulnerable version is 1.0, and users are advised to contact the vendor for an update. If no fix is available, the recommended workaround is to implement proper input validation and parameterized queries for all user-supplied data, especially the username parameter in the login form. The application is not listed on the CISA KEV catalog as of the published date.