Phpscript-Sgh Time-Based Blind SQL Injection Vulnerability

A time-based blind SQL injection vulnerability has been identified in Phpscript-sgh version 0.1.0, specifically within the admin interface. This vulnerability allows attackers to manipulate database queries by exploiting the 'id' parameter. By crafting malicious payloads that induce time delays, attackers can extract sensitive information from the database using conditional sleep techniques.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate database queries and potentially extract sensitive information from the database.

Reproduction

To reproduce this vulnerability, log into the admin interface of Phpscript-sgh 0.1.0. Once logged in, navigate to the 'admins.php' page. The vulnerability can be exploited by sending a request with the 'op' parameter set to 'edit' and the 'id' parameter crafted to include a SQL injection payload. For example, a payload could be constructed to use the SQL 'SLEEP' function, creating a time delay that indicates successful exploitation. This time-based response can be used to infer information from the database, demonstrating the SQL injection vulnerability.