Code-Projects Online Application System for Admission SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Online Application System for Admission version 1.0, specifically within the enrollment/admsnform.php file. This vulnerability arises from the improper handling of the detid parameter, which is processed by the application without adequate input validation or sanitization. As a result, attackers can inject malicious SQL payloads that are executed by the database, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, extraction of sensitive database information, bypassing authentication mechanisms, modification or deletion of database records, privilege escalation, and in some cases, complete control over application data, depending on database permissions.

Reproduction

To reproduce this vulnerability, submit a POST request to the enrollment/admsnform.php endpoint with a crafted detid parameter that includes a SQL payload designed to exploit the application's SQL query handling. The injected payload can be crafted to, for example, use the SLEEP() function to demonstrate the execution of the injected SQL code.

Remediation

No specific remediation measures are known for this vulnerability.