Code-Projects Employee Management System SQL Injection Vulnerability in Approve.php

A SQL injection vulnerability has been identified in the Code-Projects Employee Management System version 1.0. The issue resides in the file '370project/approve.php', where user-supplied parameters 'id' and 'token' are directly concatenated into an SQL 'UPDATE' statement without proper parameterization. This flaw allows remote attackers to manipulate approval logic, infer database behavior using blind SQL injection techniques, and potentially degrade application performance by causing time delays or triggering resource-intensive database operations.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of approval statuses, depending on database permissions and behavior. Additionally, the vulnerability could be exploited to perform time-based blind SQL injection, inferring database information based on response times, or to execute costly database operations that could disrupt application performance.

Reproduction

To reproduce this vulnerability, send a GET request to '370project/approve.php' with the 'id' and 'token' parameters. The 'id' parameter can be replaced with a crafted payload that exploits the SQL injection vulnerability, such as a payload that includes a time-delay function. The injection can be verified by comparing the response time to a baseline request without the payload, as the vulnerable application will redirect to 'empleave.php' after processing the SQL command.