phpMyChat Plus SQL Injection Vulnerability in deluser.php

A SQL injection vulnerability has been identified in phpMyChat Plus version 1.98, specifically on the deluser.php page. The issue arises through the pmc_username parameter, allowing attackers to manipulate database queries. Exploitation of this vulnerability could lead to the extraction of sensitive database information using boolean-based, error-based, and time-based blind SQL injection techniques.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries to extract sensitive information from the database.

Reproduction

To reproduce this vulnerability, send a POST request to the deluser.php page with the pmc_username parameter. Include a crafted payload that exploits the SQL injection vulnerability, such as a boolean-based blind SQL injection payload that manipulates the query execution. The injection can be verified by using a tool like sqlmap to extract database information through the exploited vulnerability.