PHPGurukul Company Visitor Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in PHPGurukul Company Visitor Management System version 1.0. The issue resides in the '/bwdates-reports-details.php' file, where the 'MULTIPART fromdate' and 'todate' parameters are manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, allowing attackers to gain unauthorized access to the database, leak sensitive information, tamper with data, and potentially disrupt services.

Impact

Exploitation of this vulnerability allows for unauthorized database access, data manipulation, and leakage of sensitive information. It poses a significant threat to system security and business continuity.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'bwdates-reports-details.php' with crafted 'MULTIPART fromdate' and 'todate' parameters. The 'fromdate' parameter should include a payload that exploits the SQL injection vulnerability, such as a time-based blind SQL injection payload that uses the 'SLEEP' function to demonstrate the injection.

Remediation

To address this vulnerability, it is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.