Codehub666 94list SQL Injection Vulnerability in Login Function
Vulnerability
A SQL injection vulnerability has been identified in the Codehub666 94list application, specifically in the login function within the file 'function.php'. This vulnerability allows remote attackers to manipulate SQL queries by exploiting the 'user' parameter, potentially leading to unauthorized access or data manipulation. The issue arises because the application fails to properly sanitize user input before incorporating it into SQL commands.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a POST request to 'api.php' with the 'type' parameter set to 'login', the 'user' parameter containing a crafted SQL injection payload, and the 'pass' parameter set to '1'. The injected SQL code can be designed to, for example, delay the response by several seconds, indicating successful exploitation.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.