Campcodes Gym Management System SQL Injection Vulnerability in ajax.php
Vulnerability
A SQL injection vulnerability has been identified in Campcodes Gym Management System version 1.0. The issue arises in the file ajax.php, specifically within an unknown function handling the login action. The vulnerability can be exploited remotely by manipulating the Username parameter. This flaw allows attackers to interfere with SQL queries, potentially leading to unauthorized data access or modification.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a POST request to 'gym/ajax.php?action=login' with a crafted 'username' value that includes SQL injection payloads. The 'password' field can be filled with any value. The injection can be verified by using payloads that, for example, cause a time delay, indicating successful exploitation.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.