PHPGurukul Men Salon Management System SQL Injection Vulnerability in About Us Page

A critical SQL injection vulnerability has been identified in PHPGurukul Men Salon Management System version 1.0. The issue resides in the admin/about-us.php file, where the pagetitle parameter is manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, allowing attackers to gain unauthorized access to the database, leak sensitive information, tamper with data, and potentially disrupt services.

Impact

Exploitation of this vulnerability allows for unauthorized database access, leakage of sensitive data, data manipulation, and could lead to complete control over the system or disruption of services.

Reproduction

The vulnerability can be reproduced by sending a POST request to the admin/about-us.php page with the pagetitle parameter. The injected SQL payload can be crafted to exploit the time-based blind SQL injection vulnerability, such as by using a payload that includes a sleep command to delay the response, indicating successful injection.

Remediation

To address this vulnerability, it is recommended to use prepared statements and parameter binding to separate SQL code from user input, validate and filter user input to ensure it meets expected formats, minimize database user permissions, and conduct regular security audits.