Code-Projects Intern Membership Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Code-Projects Intern Membership Management System version 1.0. The issue arises in the file /admin/delete_student.php, where the 'id' parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely without any authentication, potentially leading to unauthorized database access, data manipulation, and leakage of sensitive information.

Impact

Exploitation of this vulnerability allows for unauthorized access to the database, manipulation or deletion of data, and extraction of sensitive information. Such actions pose a significant threat to the overall security of the system and its data integrity.

Reproduction

To reproduce this vulnerability, send a POST request to /admin/delete_student.php with an 'id' parameter that includes a crafted SQL payload. The injection can be verified by observing the application's response, which may indicate successful exploitation, such as a delay in response time or unexpected data being returned.