Campcodes Online Beauty Parlor Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Campcodes Online Beauty Parlor Management System version 1.0. The issue arises in the file '/admin/bwdates-reports-details.php', where the 'fromdate' and 'todate' parameters are manipulated, allowing for SQL injection attacks. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, which could be used to manipulate database queries, potentially leading to unauthorized data access or modification.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the admin reports section. Send a POST request to '/admin/bwdates-reports-details.php' with the 'fromdate' parameter set to a date value and the 'todate' parameter set to a later date. The SQL injection can be verified using the sqlmap tool, which will demonstrate the injection point and the ability to exploit the vulnerability by, for example, retrieving database information.