| Titel | 1000 Projects Beauty Parlour Management System V1.0 SQL Injection |
|---|
| Beschreibung | The primary root cause is insufficient sanitization of user inputs in the “Array-like #1* ((custom) POST)” parameter. The system constructs SQL statements with these parameters directly, allowing attackers to embed arbitrary code into the query.
Database Compromise
Attackers may escalate privileges, read sensitive data, or make unauthorized modifications.
Data Leakage
Confidential information (e.g., customer details, service logs) could be exposed.
Service Interruption
Malicious queries (like time-based “SLEEP” injections) may degrade system performance or trigger crashes.
System Control
In some scenarios, attackers pivot from database to broader system-level access if combined with other exploits. |
|---|
| Quelle | ⚠️ https://github.com/lings3346/CVE/blob/main/SQL_Injection_in_Beauty_Parlour_Management_System.md |
|---|
| Benutzer | lings3346 (UID 79542) |
|---|
| Einreichung | 30.12.2024 15:19 (vor 1 Jahr) |
|---|
| Moderieren | 31.12.2024 09:46 (18 hours later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 289826 [1000 Projects Beauty Parlour Management System 1.0 Customer Detail add-customer-services.php sids[] SQL Injection] |
|---|
| Punkte | 20 |
|---|