Beauty Parlour Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Beauty Parlour Management System version 1.1. The issue arises in the 'aptnumber' parameter of the '/appointment-detail.php' endpoint, allowing attackers to execute crafted SQL statements that could access sensitive database information. This vulnerability can be exploited by ordinary users who have registered through the 'signup' function.

Impact

Exploitation of this vulnerability could lead to unauthorized access to database information, with the potential to obtain database access rights or even DBA permissions.

Reproduction

The vulnerability can be reproduced by sending a crafted SQL injection payload through the 'aptnumber' parameter in the '/appointment-detail.php' endpoint. This can be done manually or using automated tools like sqlmap. The injection can be verified by extracting database information, such as the current database name, or by using time-based payloads to confirm the injection's effectiveness.