PHP Inventory Management System SQL Injection Vulnerability
Vulnerability
A SQL injection vulnerability has been identified in Inventory Management System version 1. The issue arises in the login form, where user input is not properly sanitized before being processed. This flaw allows attackers to manipulate input to alter SQL queries, potentially leading to unauthorized access to sensitive data, database compromise, or even remote code execution, depending on the database configuration.
Impact
Exploitation of this vulnerability allows for SQL injection, with potential impacts including unauthorized data access, extraction of sensitive information, modification or deletion of database tables, full database compromise, and in some cases, remote code execution.
Reproduction
To reproduce this vulnerability, navigate to the login page of the PHP Inventory Management System. Enter a username and password, then intercept the login request using Burp Suite. Save the intercepted request and use SQLMap to test for SQL injection vulnerabilities. SQLMap can successfully enumerate backend MySQL databases, confirming the presence of SQL injection.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.