PHPGurukul Online Shopping Portal SQL Injection Vulnerability in Search Result File

A critical SQL injection vulnerability has been identified in PHPGurukul/Campcodes Online Shopping Portal version 2.1. The issue resides in the search-result.php file, where the product parameter is not properly validated, allowing attackers to manipulate SQL queries and execute unauthorized commands. This vulnerability can be exploited remotely, potentially leading to the theft of sensitive database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands. This could result in unauthorized data access, data manipulation, or in some cases, executing commands on the server if the database has such capabilities.

Reproduction

To reproduce this vulnerability, send a request to the /search-result.php endpoint with a crafted product parameter that includes SQL injection payloads. The lack of input validation will allow the injected SQL code to be executed, demonstrating the vulnerability.