PHPGurukul Zoo Management System SQL Injection Vulnerability in Ticket Management

A critical SQL injection vulnerability has been identified in PHPGurukul Zoo Management System version 2.1. The issue arises in the file '/admin/add-foreigners-ticket.php', where the 'cprice' parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, with public knowledge of the exploit available.

Impact

Exploitation of this vulnerability allows attackers to inject SQL queries that can be executed by the database. This could lead to unauthorized data access, data manipulation or deletion, and potentially allow attackers to execute administrative operations on the database, disrupting normal application functionality.

Reproduction

To reproduce this vulnerability, send a POST request to '/zms/admin/add-foreigners-ticket.php' with the 'cprice' parameter included. The request should also include 'visitorname', 'noadult', 'nochildren', and 'aprice' parameters. The 'cprice' parameter should be crafted to include a SQL injection payload, such as a time-based blind injection that uses the SQL 'SLEEP' function to demonstrate the injection.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be implemented to ensure that user input conforms to expected formats, blocking malicious data. Finally, database user permissions should be minimized, ensuring that the database account used by the application has only the necessary privileges.