PHPGurukul Zoo Management System SQL Injection Vulnerability in Ticket Management File

A critical SQL injection vulnerability has been identified in PHPGurukul Zoo Management System version 2.1. The issue resides in the file '/admin/manage-foreigners-ticket.php', where the 'id' parameter is manipulated, allowing attackers to inject malicious SQL code. This vulnerability can be exploited remotely, with public knowledge of the exploit available.

Impact

Exploitation of this vulnerability allows attackers to inject SQL queries that can be executed by the database. This could lead to unauthorized data access, data manipulation or deletion, and potentially allow attackers to execute administrative operations on the database, disrupting normal application functionality.

Reproduction

The vulnerability can be reproduced by sending a GET request to '/admin/manage-foreigners-ticket.php' with a crafted 'id' parameter that includes malicious SQL payloads. The injection can be verified by using time-based blind SQL injection techniques, such as pausing the response for a few seconds, indicating successful exploitation.

Remediation

It is recommended to update to a version of PHPGurukul Zoo Management System that addresses this vulnerability. Users can check the PHPGurukul website for the latest version or contact their support for guidance.