PHPGurukul Credit Card Application Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul Credit Card Application Management System version 1.0. The issue arises in an unknown function of the file /admin/index.php, where the Username parameter can be manipulated to inject SQL commands. This vulnerability is exploitable remotely and allows attackers to access sensitive information from the backend MySQL database, including admin credentials, email addresses, and phone numbers. The vulnerability undermines the application's authentication mechanism by enabling complete compromise of user login details.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can inject SQL commands that are executed by the database. This could lead to unauthorized data access or manipulation. In this case, it was possible to extract sensitive information such as admin credentials, email addresses, and phone numbers from the database.

Reproduction

To reproduce this vulnerability, send a request to the login endpoint (/ccams/admin/index.php) with a crafted payload that exploits the SQL injection vulnerability in the Username parameter. The injection can be timed to extract data from the database, taking advantage of the application's SQL query handling.