Code-Projects Payroll Management System SQL Injection Vulnerability in add_overtime.php

A critical SQL injection vulnerability has been identified in Code-Projects Payroll Management System version 1.0. The issue resides in the add_overtime.php file, where the rate parameter can be manipulated to execute arbitrary SQL commands. This vulnerability can be exploited remotely, potentially allowing attackers to access sensitive information from the application's database.

Impact

Exploitation of this vulnerability allows for unrestricted SQL injection, where an attacker can execute arbitrary SQL commands. This could lead to unauthorized data access, data manipulation, or in some cases, executing commands on the server under the application's database user privileges.

Reproduction

To reproduce this vulnerability, send a POST request to the add_overtime.php endpoint. Include a crafted payload in the rate parameter that exploits the SQL injection flaw, such as a SQL injection payload that, for example, retrieves database information.