SourceCodester Best House Rental Management System view_payment.php sql injection

An attacker can trigger the SQL injection by sending a crafted GET request to `view_payment.php` with a malicious `id` parameter. The attack is remotely exploitable with no authentication required — the researcher's PoC shows the request originates from the tenants page view button, but the vulnerable endpoint is directly accessible [ref_id=1]. The `id` parameter is vulnerable to both boolean-based blind and time-based blind SQL injection, as confirmed by sqlmap output showing payloads such as `id=12 AND 5328=5328` and `id=12 AND (SELECT 7871 FROM (SELECT(SLEEP(5)))Ovop)` [ref_id=1].

The vulnerability exists in the file `view_payment.php` of the Best House Rental Management System. The `id` parameter is passed directly into a SQL query without sanitization or parameterization, as demonstrated by the researcher's proof-of-concept at `http://localhost/rental/view_payment.php?id=12` [ref_id=1].

No patch is provided in the bundle. The advisory does not include a fix commit or vendor remediation. To close this vulnerability, the application should use prepared statements with parameterized queries (e.g., PDO or MySQLi prepared statements) instead of directly interpolating the `id` parameter into the SQL query. Input validation (ensuring `id` is an integer) would also mitigate the issue.

1. Navigate to `http://localhost/rental/index.php?page=tenants` and click the "view" button on any tenant entry. 2. Capture the resulting GET request to `/rental/view_payment.php?id=12` using Burp Suite and send it to Repeater. 3. Save the raw request to a file (e.g., `r.txt`). 4. Run sqlmap: `sqlmap -r r.txt -p id --risk 3 --level 5 --dbms mysql --batch --current-db` 5. Observe that the tool confirms boolean-based and time-based blind injection and dumps the database name `house_rental_latest` [ref_id=1].