itsourcecode Online Clinic Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Online Clinic Management System version 1.0. The issue arises in the file details.php when the action parameter is set to post. The vulnerability allows remote attackers to manipulate the ID argument, leading to unauthorized access to the database. Exploitation of this vulnerability could result in the extraction of sensitive information, such as administrative credentials, potentially leading to a complete compromise of the system.

Impact

Exploitation of this vulnerability allows for union-based SQL injection, enabling attackers to manipulate SQL queries and exfiltrate sensitive data from the database. This could include administrative credentials, which could be used to compromise the entire system.

Reproduction

To reproduce this vulnerability, send a request to the details.php file with the action parameter set to post. Manipulate the ID argument to inject malicious SQL payloads. The injection can be verified by checking if the application returns database information or if it is possible to extract sensitive data such as admin credentials.