Code-Projects Blood Bank Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Code-Projects Blood Bank Management System version 1.0. The issue resides in the file '/admin/add_city.php', where the 'code' parameter is vulnerable to injection. This vulnerability allows remote attackers to manipulate SQL queries, potentially compromising the application's database and the data it holds.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can inject malicious SQL queries into the application's database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log into the application with admin privileges. Navigate to the '/admin/city.php' page, fill out the required details, and submit the form. Intercept the request using a tool like Burp Suite. Inject a simple SQL injection payload into the 'code' parameter and observe the application's response. The application will return an SQL error, indicating that the injection was successful. This vulnerability can be exploited manually or with automated tools like SQLMap.