Code-Projects Online Book Shop SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Code-Projects Online Book Shop version 1.0. The issue arises in the file '/search_result.php', where the 's' parameter is manipulated, allowing for unauthorized SQL query execution. This vulnerability can be exploited remotely, potentially leading to unauthorized database access or even remote code execution.

Impact

Exploitation of this vulnerability allows for SQL injection, with the possibility of accessing the database unauthorized or executing arbitrary code remotely, according to the vulnerability disclosure.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the '/search_result.php' file with a payload that manipulates the 's' parameter. This can be done using a tool like SQLMap, which can automate the exploitation of SQL injection vulnerabilities. Once the injection is successful, an attacker could use SQLMap to enumerate databases or gain a shell on the server to execute commands.