PHPGurukul Online Birth Certificate System SQL Injection Vulnerability in Search Module

A critical SQL injection vulnerability has been identified in PHPGurukul Online Birth Certificate System version 1.0. The issue resides in the admin/search.php file, where the searchdata parameter is manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely without authentication, allowing attackers to gain unauthorized access to the database, modify or delete data, and access sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries. This could lead to unauthorized data access, data modification or deletion, and in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a POST request to the admin/search.php file with the searchdata parameter. The injection can be performed using a time-based blind SQL injection payload, such as one that uses the SQL SLEEP function to create a delay, or a UNION-based payload to extract data from the database.

Remediation

It is recommended to implement input validation and sanitization for the searchdata parameter, use prepared statements to prevent SQL injection, and conduct regular security audits to identify and address vulnerabilities.