Obi08 Enrollment System SQL Injection Vulnerability in get_subject.php

A SQL injection vulnerability has been identified in Obi08 Enrollment System version 1.0. The issue resides in the keyword parameter of the get_subject.php file, allowing unauthenticated attackers to execute arbitrary SQL queries. Exploitation of this vulnerability is possible through UNION-based injection, enabling the extraction of sensitive information such as usernames and passwords from the users table.

Impact

Exploitation of this vulnerability allows for arbitrary SQL query execution, with the potential to extract sensitive information from the database, including usernames and passwords.

Reproduction

The vulnerability can be reproduced by sending a POST request to the get_subject.php endpoint with a crafted SQL injection payload in the keyword parameter. The payload can be designed to exploit the application's SQL query handling, such as by using UNION-based injection to extract data from the database.