Campcodes School Faculty Scheduling System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Campcodes School Faculty Scheduling System version 1.0. The issue arises in the file /admin/ajax.php, specifically within the login action. The vulnerability allows for remote exploitation by manipulating the username parameter, which is not properly sanitized before being used in a database query. This flaw could be exploited to execute arbitrary SQL commands, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability allows for blind SQL injection, where an attacker can execute SQL commands on the database. This could be used to extract, modify, or delete data, or in some cases, execute administrative operations.

Reproduction

To reproduce this vulnerability, send a POST request to /scheduling/admin/ajax.php?action=login. Include a crafted payload in the username field that exploits the SQL injection vulnerability, such as injecting SQL commands that manipulate the database query execution. The password field can be filled with any value, as it is not relevant to the exploitation.