PHPGurukul Beauty Parlour Management System SQL Injection Vulnerability in Contact Us Admin Page

A SQL injection vulnerability has been identified in PHPGurukul Beauty Parlour Management System version 1.1. The issue resides in the admin contact-us.php file, where the mobnumber parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, without any authentication, potentially leading to unauthorized access and manipulation of the database.

Impact

Exploitation of this vulnerability allows attackers to inject malicious SQL queries, bypassing authentication and authorization. This could lead to unauthorized data access, data manipulation or deletion, and in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to the /admin/contact-us.php endpoint with the mobnumber parameter. Include a payload that exploits the SQL injection, such as a time-based blind injection that uses the SQL SLEEP function to demonstrate the injection's effectiveness.

Remediation

It is recommended to validate and sanitize user inputs, particularly in the mobnumber parameter, to prevent SQL injection. Implementing prepared statements and parameterized queries can also help mitigate this vulnerability.