itsourcecode Billing System SQL Injection Vulnerability in Login CRUD File

A SQL injection vulnerability has been identified in itsourcecode Billing System version 1.0. The issue arises in the login_crud.php file within the admin/app directory. The vulnerability allows remote attackers to manipulate the Password parameter, leading to unauthorized database access. This flaw exists because user input is directly incorporated into SQL queries without proper validation or sanitization, enabling attackers to alter the query's logic and bypass authentication.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, data manipulation, or bypassing authentication mechanisms.

Reproduction

To reproduce this vulnerability, send a POST request to /admin/app/login_crud.php with a crafted payload in the Password parameter that includes SQL injection techniques, such as commenting out the rest of the SQL query or using SQL functions to manipulate the database.