Code-Projects Computer Laboratory System SQL Injection Vulnerability

A SQL injection vulnerability exists in Code-Projects Computer Laboratory System version 1.0. This vulnerability allows users to bypass login authentication by entering a universal password in the Password field on the login page. The injection exploits the application's SQL query handling, potentially allowing unauthorized access to the system.

Impact

Exploitation of this vulnerability allows for unauthorized access to the application, bypassing normal authentication mechanisms.

Reproduction

To reproduce this vulnerability, navigate to the login page of Code-Projects Computer Laboratory System 1.0. Enter 'admin' in the Username field and a crafted SQL injection payload, such as a universal password that manipulates the SQL query (e.g., using 'OR 1=1' syntax), in the Password field. After submitting the login form, the response will indicate a successful login by returning a valid username, such as 'true_admin'. This SQL injection can also be automated using a tool like sqlmap, targeting the Password parameter.