Abdullah-Hasan-Sajjad Online-School SQL Injection Vulnerability in studentLogin.php

A SQL injection vulnerability has been identified in Abdullah-Hasan-Sajjad Online-School versions prior to f09dda77b4c29aa083ff57f4b1eb991b98b68883. The issue resides in the studentLogin.php file, where the Email argument is manipulated, allowing for remote exploitation. This vulnerability arises from the application's use of string concatenation to build SQL queries without proper input validation or parameterization, enabling attackers to interfere with the SQL command execution.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, access the student login interface of the affected application. The SQL injection can be performed by entering a crafted email address that exploits the application's SQL query handling. Since the vulnerability is present in the Email argument, this manipulation can be done by inputting SQL payloads that the application does not properly sanitize before processing the database query.