Code-Projects Online Shoe Store SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Code-Projects Online Shoe Store version 1.0. The issue resides in the file '/function/login.php', where user-supplied email and password parameters are directly inserted into an SQL query without proper validation or sanitization. This vulnerability can be exploited remotely, potentially leading to unauthorized access to the application's database or even remote code execution.

Impact

Exploitation of this vulnerability allows for SQL injection, with the possibility of accessing and manipulating the database. According to the vulnerability disclosure, this could also lead to remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to '/function/login.php' with crafted email and password parameters that include SQL injection payloads. The lack of input sanitization will allow the injection of malicious SQL code, which can be used to manipulate the database or execute arbitrary commands on the server.