Blood Bank Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in the Blood Bank Management System version 1.0. The issue arises in the admin/delete_members.php file, where the member_id parameter can be manipulated to inject malicious SQL queries. This vulnerability is exploitable remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can inject and execute malicious SQL queries. This could lead to unauthorized access to the database, manipulation of database contents, or potentially executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log into the application with super admin privileges. Navigate to the delete_members.php page in the admin directory and append a SQL injection payload to the member_id parameter. The application will respond with a SQL error, indicating that the injection was successful. This vulnerability can be exploited manually or with automated tools like SQLMap.