| عنوان | SourceCodester Water Billing Management System in PHP/OOP Free Source Code 1.0 SQL Injection |
|---|
| الوصف | The Water Billing Management System is vulnerable to an Authenticated SQL Injection flaw within the administrative dashboard. An attacker with valid low-level administrative credentials can manipulate the id parameter in the user management module to execute arbitrary SQL commands. This can lead to unauthorized data disclosure, including database versioning, structural information, and sensitive user records.
The application fails to properly sanitize or parameterize the id GET parameter in the /wbms/admin/?page=user/manage_user route. The input is passed directly into a SQL query string, allowing for Union-Based SQL Injection.
While this requires the attacker to be logged into the admin panel, it represents a significant risk from "insider threats" or compromised sub-admin accounts, as it allows for vertical privilege escalation and full database extraction. |
|---|
| المصدر | ⚠️ https://github.com/renzortega1337/Security-Research-/blob/main/Authenticated%20SQL%20Injection%20in%20User%20Management.md |
|---|
| المستخدم | renzortega1337 (UID 98096) |
|---|
| ارسال | 08/05/2026 03:26 PM (1 شهر منذ) |
|---|
| الاعتدال | 31/05/2026 10:24 AM (23 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 367516 [SourceCodester Water Billing Management System 1.0 User Management manage_user معرف حقن SQL] |
|---|
| النقاط | 20 |
|---|