SourceCodester Pet Grooming Management Software SQL Injection Vulnerability in ajax_product.php

A SQL injection vulnerability has been identified in SourceCodester Pet Grooming Management Software version 1.0. The issue arises in the file /admin/ajax_product.php, where the drop_services parameter is not properly validated or sanitized. This lack of input validation allows attackers to manipulate the SQL query, potentially leading to unauthorized data access or modification. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the admin/ajax_product.php page. Once there, send a POST request that includes the drop_services parameter. The value of this parameter should be crafted to include SQL injection payloads, such as SQL syntax that could manipulate the database query processing. After the request is sent, the injected SQL payload will be executed by the application, demonstrating the SQL injection vulnerability.