Code-Projects Human Resource Integrated System SQL Injection Vulnerability in login_attendance2.php

A SQL injection vulnerability has been identified in Code-Projects Human Resource Integrated System version 1.0. The issue resides in the file login_attendance2.php, where the employee_id and date parameters are not properly sanitized, allowing for the injection of malicious SQL code. This vulnerability can be exploited remotely, without authentication, and has been publicly disclosed along with an available exploit.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to login_attendance2.php with the employee_id and date parameters. The employee_id parameter can be crafted to include SQL injection payloads, such as union select statements or time-based injection techniques. Once the request is sent, the response can be analyzed for indications of successful exploitation, such as extracted data or response delays.