PHPGurukul Zoo Management System SQL Injection Vulnerability in Profile Management

A critical SQL injection vulnerability has been identified in PHPGurukul Zoo Management System version 2.1. The issue resides in the admin profile management file, specifically within the contactnumber parameter. This vulnerability allows remote attackers to inject malicious SQL queries, which could be executed without authorization, potentially leading to unauthorized database access, data manipulation, and disclosure of sensitive information.

Impact

Exploitation of this vulnerability allows for unauthorized database access, manipulation or deletion of data, and extraction of sensitive information. Such actions could disrupt normal system operations and cause significant business impact.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/admin/profile.php' with an injected payload in the 'contactnumber' parameter. The injection can be crafted to exploit time-based blind SQL injection techniques, such as using the SQL 'SLEEP' function to demonstrate the injection's effectiveness.

Remediation

It is recommended to implement prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be applied to ensure that user input meets expected formats, thereby blocking malicious data. Finally, database user permissions should be minimized to limit access rights.