Krishanmuraiji SMS SQL Injection Vulnerability in Admin Module

A time-based blind SQL injection vulnerability has been identified in Krishanmuraiji SMS version 1.0. The issue resides in the admin module, specifically within the 'edit-class-detail.php' file. The vulnerability is triggered through the 'editid' GET parameter, where unsanitized input is directly used in SQL queries. This flaw allows attackers to manipulate SQL execution, causing controlled delays that can be used to infer database information. Successful exploitation could lead to a complete compromise of the application's database, particularly within the administrative module.

Impact

Exploitation of this vulnerability could result in unauthorized access to database information, allowing for data disclosure, unauthorized data modifications, and potential privilege escalation. In a successful attack, the entire backend database could be compromised.

Reproduction

To reproduce this vulnerability, send a request to '/studentms/admin/edit-class-detail.php' with the 'editid' parameter. First, send a normal request to establish a baseline response time. Then, inject a payload that uses the SQL 'SLEEP()' function to create a delay. The server's delayed response will confirm the successful injection, as the application does not display any error messages.

Remediation

To address this vulnerability, developers should use prepared statements for database queries, validate numeric parameters to prevent injection, avoid concatenating SQL queries with user input, and apply least-privilege access controls for database permissions.