Campcodes Complete Online Beauty Parlor Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Campcodes Complete Online Beauty Parlor Management System version 1.0. The issue resides in the file '/admin/view-appointment.php', where the 'viewid' parameter is not properly validated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, without any authentication.

Impact

Exploitation of this vulnerability allows unauthorized access to the database, where attackers can manipulate or delete data, access sensitive information, and potentially disrupt services.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the '/admin/view-appointment.php' file with a manipulated 'viewid' parameter. This can be done using a variety of payloads, such as those that exploit boolean-based blind SQL injection or time-based blind SQL injection techniques. The injection can also be performed using a UNION-based SQL injection payload, which can extract data from the database by appending a SQL query to the original one processed by the application.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.