PHPGurukul Apartment Visitors Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in the PHPGurukul Apartment Visitors Management System, version 1.0. The issue resides in the Sign In component, specifically within the '/index.php' file. The vulnerability is triggered by manipulating the 'username' parameter, allowing remote attackers to inject malicious SQL commands. This exploitation can bypass authentication and access sensitive information, with a potential denial-of-service impact by dropping SQL tables.

Impact

Exploitation of this vulnerability allows for SQL injection, which can be used to bypass authentication, access sensitive information, disrupt database operations by dropping SQL tables, and in some cases, upload arbitrary files.

Reproduction

To reproduce this vulnerability, send a POST request to '/avms/index.php' with the 'username' parameter set to an injected SQL payload, such as 'admin' followed by a SQL comment delimiter. Include a password, although the injection bypasses the need for a valid one.