Code-Projects Student Information System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Code-Projects Student Information System version 2.0. The issue arises in the index.php file, where the application improperly sanitizes the 'username' parameter before incorporating it into an SQL query. This flaw allows remote attackers to manipulate the input and execute arbitrary SQL commands, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to '/index.php' with the 'username' and 'password' fields. The application will process the 'username' input without proper sanitization, allowing for SQL injection. After exploitation, the injected SQL payload can be used to extract or manipulate database information.