Code-Projects Responsive Hotel Site SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Code-Projects Responsive Hotel Site version 1.0. The issue arises in an unknown function within the file /admin/print.php, where the 'pid' parameter is not properly sanitized or parameterized. This lack of input validation allows attackers to inject malicious SQL code, potentially manipulating database queries. The vulnerability can be exploited remotely, and the details of the exploit have been made public.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can inject malicious SQL queries that the database will execute. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to /admin/print.php with a crafted 'pid' parameter that includes SQL injection payloads, such as UNION-based injections. The injected SQL code will be executed by the application, demonstrating the vulnerability.