PHPGurukul Online Fire Reporting System SQL Injection Vulnerability in Edit Team Management

A critical SQL injection vulnerability has been identified in the Online Fire Reporting System by PHPGurukul, specifically in version 1.2. The issue arises in the admin/edit-team.php file, where the teamid parameter can be manipulated to execute arbitrary SQL commands. This vulnerability can be exploited remotely, potentially allowing attackers to interfere with the database or access sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP GET request to the admin/edit-team.php endpoint with a manipulated teamid parameter. The injection can be verified by using a payload that exploits time-based blind SQL injection, such as adding a SQL injection payload that includes a sleep command, which would delay the response and indicate successful exploitation.