PHPGurukul Zoo Management System SQL Injection Vulnerability in Ticket Management File

A critical SQL injection vulnerability has been identified in PHPGurukul Zoo Management System version 2.1. The issue resides in the file '/admin/manage-normal-ticket.php', where the 'id' parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, with public knowledge of the exploit available.

Impact

Exploitation of this vulnerability allows attackers to inject SQL queries that can be executed by the database. This could lead to unauthorized data access, data manipulation or deletion, and potentially allow attackers to execute administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to '/admin/manage-normal-ticket.php' with the 'id' parameter set to a crafted value that exploits the SQL injection. The injection can be verified by using a payload that, for example, causes a time-based delay, indicating successful exploitation.

Remediation

It is recommended to update to a version of PHPGurukul Zoo Management System that addresses this vulnerability. If no such version is available, consider applying general SQL injection mitigation techniques, such as using prepared statements and parameterized queries, to prevent malicious input from being executed as part of an SQL command.