Code-Projects Employee Management System SQL Injection Vulnerability in Delete.php

A SQL injection vulnerability has been identified in Code-Projects Employee Management System version 1.0, specifically in the file 370project/delete.php. The vulnerability arises because the 'id' parameter is directly taken from the URL and used in a DELETE SQL statement without proper parameterization. This flaw allows remote attackers to manipulate database queries, potentially leading to unauthorized data modification or deletion, depending on database permissions. Additionally, the vulnerability could be exploited using blind SQL injection techniques to infer database behavior or data. Exploitation of this vulnerability could also degrade the application's availability by forcing the database to execute time-consuming operations.

Impact

Exploitation of this vulnerability allows for SQL injection, with the potential to manipulate database queries, unauthorized data modification or deletion, and degradation of application availability by causing the database to perform time-consuming operations.

Reproduction

To reproduce this vulnerability, send a GET request to '370project/delete.php' with a crafted 'id' parameter that exploits the SQL injection flaw. The injected SQL payload should be designed to manipulate the SQL query execution, such as by using time-based blind SQL injection techniques to verify the injection.