School ERP Pro SQL Injection Vulnerability

A SQL injection vulnerability has been identified in School ERP Pro version 1.0. The issue resides in the 'es_messagesid' parameter, allowing attackers to manipulate database queries via GET requests. By injecting crafted SQL statements, it is possible to extract, modify, or delete database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to the application with the 'es_messagesid' parameter. The application will process the request and execute the injected SQL payload. This vulnerability can be exploited using SQL injection tools like SQLmap, which can automate the injection process and extract database information.