PHPGurukul Small CRM SQL Injection Vulnerability

A SQL injection vulnerability has been identified in PHPGurukul Small CRM version 3.0. The issue arises in the manage-tickets.php file, where the frm_id and aremark parameters can be exploited to inject malicious SQL queries. This vulnerability allows attackers to manipulate database queries, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to manage-tickets.php with the frm_id and aremark parameters. Inject a malicious SQL payload into these parameters. To demonstrate the vulnerability, use a time-based SQL injection payload, such as one that includes a sleep command, to delay the server's response and indicate successful exploitation.