Wecodex Restaurant CMS SQL Injection Vulnerability

An SQL injection vulnerability has been identified in Wecodex Restaurant CMS version 1.0. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Exploitation involves sending POST requests to the login endpoint with malicious SQL payloads, using either boolean-based blind or time-based blind techniques, to extract sensitive information from the database.

Impact

Exploitation of this vulnerability could lead to unauthorized access to database information, allowing attackers to read, modify, or potentially delete data.

Reproduction

To reproduce this vulnerability, send a POST request to the login endpoint with the username parameter injected with malicious SQL payloads. Boolean-based blind SQL injection can be performed by using SQL injection techniques that rely on true/false conditions, while time-based blind SQL injection can be executed by using payloads that cause a delay in the database response, indicating the injection was successful.