NEWS-BUZZ SQL Injection Vulnerability Allowing Arbitrary Code Execution

A SQL injection vulnerability has been identified in NEWS-BUZZ version 1.0, created by anirbandutta9. This vulnerability allows remote attackers to execute arbitrary code by injecting crafted scripts, exploiting unsanitized user input in the login form. The injection occurs through the login request, where manipulated input can alter backend SQL queries. Successful exploitation could lead to unauthorized access, data disclosure, database modification, or remote code execution, depending on the server's configuration.

Impact

Exploitation of this vulnerability could result in unauthorized access to user data, disclosure of sensitive information, unauthorized modification or deletion of database tables, privilege escalation, and potentially remote code execution, depending on the server and database configuration.

Reproduction

To reproduce this vulnerability, navigate to the login page of the NEWS-BUZZ application. Enter a username and password, then intercept the login request using Burp Suite. Save the intercepted request and use SQLMap to test for SQL injection vulnerabilities. SQLMap can be used to enumerate backend MySQL databases, confirming the presence of the SQL injection vulnerability.