Dawa Pharma SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Dawa Pharma version 1.0. This issue allows unauthenticated attackers to execute SQL queries through the email parameter, potentially accessing sensitive client information and administrative privileges on the server. The vulnerability arises from improper handling of SQL commands, enabling attackers to inject malicious payloads that are executed by the database.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, client data, and potentially allow attackers to gain administrative access on the server.

Reproduction

The vulnerability can be reproduced by sending a POST request with a crafted payload in the email parameter. The payload should include a SQL injection that exploits the application's database query handling. For example, a payload that uses SQL's 'OR' boolean-based blind injection technique can be effective. Once the injection is successful, the injected SQL query can be used to access sensitive information from the database.