SourceCodester Best House Rental Management System admin_class.php login sql injection
Description
A vulnerability classified as critical has been found in SourceCodester Best House Rental Management System 1.0. This affects the function login of the file admin_class.php. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268767.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in the `login` function of `admin_class.php` allows the `username` parameter to be used directly in SQL queries without sanitization."
Attack vector
An attacker sends a POST request to `/rental/ajax.php?action=login` with a crafted `username` parameter containing SQL injection payloads [ref_id=1]. The payload `admin' AND (SELECT 5426 FROM (SELECT(SLEEP(5)))ABPy) AND 'wtFY'='wtFY` demonstrates time-based blind SQL injection, causing a 5-second response delay [ref_id=1]. The attack is remotely exploitable over HTTP and requires no prior authentication [ref_id=1].
Affected code
The vulnerability resides in the `login` function of the file `admin_class.php` [ref_id=1]. The `username` parameter is taken directly from user input and used in SQL queries without sanitization or validation [ref_id=1]. The login request is sent to `/rental/ajax.php?action=login` [ref_id=1].
What the fix does
No official patch has been published by the vendor. The researcher recommends using prepared statements and parameter binding to separate SQL code from user input, strict input validation and filtering, minimizing database user permissions, and conducting regular security audits [ref_id=1]. These measures would prevent the `username` parameter from being interpreted as executable SQL code.
Preconditions
- networkThe attacker must be able to send HTTP POST requests to the target server.
- authNo authentication is required; the vulnerability is in the login function.
- inputThe attacker controls the 'username' parameter in the POST body.
Reproduction
1. Capture a login POST request to `/rental/ajax.php?action=login` with a tool like Burp Suite. 2. Replace the `username` parameter value with a time-based blind SQL injection payload, e.g. `admin' AND (SELECT 5426 FROM (SELECT(SLEEP(5)))ABPy) AND 'wtFY'='wtFY`. 3. Send the request and observe that the server takes approximately 5 seconds to respond, confirming the SQL injection [ref_id=1]. 4. For broader exploitation, use sqlmap with the captured request: `sqlmap -r source.txt -p username,password --dbs --batch` [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/yezzzo/y3/blob/main/SourceCodester%20Best%20house%20rental%20management%20system%20project%20in%20php%201.0%20SQL%20Injection.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.