SourceCodester Kortex Lite Advocate Office Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in SourceCodester Kortex Lite Advocate Office Management System version 1.0. The issue arises in the edit_act.php file, where the 'id' parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, leading to unauthorized access and extraction of sensitive information from the database.

Impact

Exploitation of this vulnerability allows attackers to inject and execute malicious SQL queries, potentially leading to unauthorized access and extraction of sensitive database information. If the database user has elevated privileges, this could result in more severe consequences, such as gaining access to the underlying server.

Reproduction

The vulnerability can be reproduced by sending a crafted GET request to the edit_act.php file with a manipulated 'id' parameter. The injection can be performed using time-based blind SQL injection techniques, such as using the SQL 'SLEEP' function to infer database responses. Alternatively, the injection can be executed using UNION-based payloads to extract database information.