Multiple SQL injection vulnerabilities in Infoproject Biznis Heroj allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters to login.php, (3) the filter parameter to widget.dokumenti_lista.php, and (4) the fin_nalog_id parameter to nalozi_naslov.php.
Infoproject Biznis Heroj is vulnerable to multiple SQL injection flaws, allowing remote attackers to execute arbitrary SQL commands. Successful exploitation grants attackers unauthorized access to the application's database, potentially leading to data breaches, system compromise, and complete control of the affected system. This vulnerability impacts multiple endpoints, increasing the attack surface and the likelihood of successful exploitation.
Step 1: Identify Vulnerable Endpoint: The attacker identifies the vulnerable endpoints: login.php (username and password parameters), widget.dokumenti_lista.php (filter parameter), and nalozi_naslov.php (fin_nalog_id parameter).
Step 2: Craft Malicious Payload: The attacker crafts a malicious SQL injection payload designed to achieve a specific goal, such as retrieving sensitive data (e.g., usernames, passwords, credit card details), modifying data, or gaining remote code execution.
Step 3: Payload Delivery: The attacker submits the crafted payload through the vulnerable parameter(s) via a crafted HTTP request (e.g., POST or GET).
Step 4: Server-Side Execution: The application receives the malicious input and incorporates it directly into a SQL query without proper sanitization.
Step 5: Database Interaction: The database server executes the modified SQL query, including the attacker's injected code.
Step 6: Result Retrieval/Exploitation: Depending on the payload, the attacker can retrieve data, modify data, or potentially gain remote code execution, leading to system compromise.
The vulnerability stems from insufficient input validation and sanitization of user-supplied data before it's used in SQL queries. Specifically, the application fails to properly escape or filter special characters within the username, password, filter, and fin_nalog_id parameters. This allows attackers to inject malicious SQL code into these parameters, which is then executed by the database server. The lack of parameterized queries or prepared statements further exacerbates the issue, making it easier to inject and execute arbitrary SQL commands. The root cause is a failure to implement secure coding practices, leading to a classic SQL injection vulnerability.