PHPGurukul Park Ticketing Management System SQL Injection Vulnerability in cprice Parameter

A SQL injection vulnerability has been identified in the PHPGurukul Park Ticketing Management System version 2.0. The issue resides in the add-foreigners-ticket.php file, where remote attackers can execute arbitrary code by injecting payloads through the cprice POST request parameter. This vulnerability is classified as time-based blind SQL injection.

Impact

Exploitation of this vulnerability could lead to unauthorized data access, data manipulation, and execution of arbitrary code on the server.

Reproduction

To reproduce this vulnerability, log into the admin panel and navigate to the 'Foreigners Ticket' section. Intercept the request using Burp Suite, and inject a payload into the 'cprice' parameter that exploits the SQL injection vulnerability. Send the modified request and observe a delay in the response, confirming the injection.

Remediation

It is recommended to sanitize and validate all user inputs, use prepared statements for database queries, and implement a Content Security Policy to mitigate injection risks.