Code-Projects Online Food Ordering System SQL Injection Vulnerability in Admin Login Module

A critical SQL injection vulnerability has been identified in the Online Food Ordering System version 1.0, developed by Code-Projects. The issue resides in the Admin Login Module, specifically within the '/admin.php' file. The vulnerability is triggered by manipulating the 'username' parameter, allowing remote attackers to execute arbitrary SQL commands. This injection occurs before authentication, posing a significant risk as it requires no credentials or prior access.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, with potential impacts including database enumeration, authentication bypass, data manipulation, and full database extraction using tools like sqlmap. Accessing the admin panel could lead to a complete system compromise.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/admin.php' file in the Admin Login Module. The 'username' parameter must be crafted to include a SQL injection payload, such as a subquery that uses the 'SLEEP()' function to create a time-based blind injection. This injected payload exploits the application's SQL query handling, confirming the presence of the vulnerability by causing a delay in the response.