Code-Projects Gym Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Code-Projects Gym Management System, specifically in the file '/index.php'. The issue arises from the improper handling of the 'day' parameter, which is directly concatenated into SQL queries without proper validation or parameterization. This vulnerability allows remote attackers to manipulate the 'day' argument and execute arbitrary SQL commands, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for reflected SQL injection, where an attacker can inject and execute SQL queries that are immediately reflected in the application response. This could be used to extract, modify, or delete database information. Additionally, the vulnerability could be exploited to bypass authentication and access sensitive user information, such as admin credentials.

Reproduction

To reproduce this vulnerability, send a GET request to '/mygym/index.php' with the 'day' parameter set to a crafted SQL injection payload. After successfully injecting SQL, the injected data will be reflected in the response, indicating that the SQL injection was successful. This vulnerability can be exploited using tools like sqlmap, targeting the 'day' parameter to extract information from the application's database.