g33kyrash Online Banking System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in g33kyrash Online Banking System versions prior to the commit 12dbfa690e5af649fb72d2e5d3674e88d6743455. The issue resides in the file /index.php, where the Username parameter can be manipulated to execute arbitrary SQL commands. This vulnerability can be exploited remotely, without authentication, allowing attackers to access sensitive database information such as user credentials and financial data.

Impact

Exploitation of this vulnerability allows for unauthorized SQL injection, enabling attackers to extract confidential database information, including user credentials and financial details. This could lead to a complete compromise of the database.

Reproduction

The vulnerability can be reproduced by navigating to the login page and entering a crafted SQL payload in the username field. For example, using an injection that exploits the application's SQL query handling can extract database information, such as the database name, indicating successful exploitation.