Code-Projects Blood Bank Management System SQL Injection Vulnerability in Admin Login Page

A critical SQL injection vulnerability has been identified in Code-Projects Blood Bank Management System version 1.0. The issue resides in the admin login page, specifically within the admin_login.php file. This vulnerability allows remote attackers to inject malicious SQL queries into the backend database, potentially compromising the confidentiality, integrity, and availability of the data and the system.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the admin login page. After logging in, go to the admin index page. Intercept the login request using a tool like Burp Suite. Inject a simple SQL injection payload into the username parameter and submit the request. The application will respond with a SQL error, indicating that the injection was successful. This vulnerable endpoint can then be exploited using SQLMap or manually.