itsourcecode Construction Management System SQL Injection Vulnerability
Vulnerability
A SQL injection vulnerability exists in itsourcecode Construction Management System version 1.0, specifically within the borrowed_equip_report.php file. The issue arises from the Parameter Handler component, where the 'start' parameter can be manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, and has been publicly disclosed.
Impact
Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized database access, data manipulation, and in some cases, executing commands on the server.
Reproduction
To reproduce this vulnerability, send a POST request to 'borrowed_equip_report.php' with the 'start' parameter. The request can include a crafted SQL payload that exploits the application's SQL query handling. This vulnerability can be identified using Google Dorks, such as 'inurl:borrowed_equip_report.php', to find vulnerable targets.
Remediation
No specific mitigation measures are known for this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.