| Titel | SourceCodester Water Billing Management System in PHP/OOP Free Source Code 1.0 SQL Injection |
|---|
| Beschreibung | The Water Billing Management System is vulnerable to an Authenticated SQL Injection flaw within the administrative dashboard. An attacker with valid low-level administrative credentials can manipulate the id parameter in the user management module to execute arbitrary SQL commands. This can lead to unauthorized data disclosure, including database versioning, structural information, and sensitive user records.
The application fails to properly sanitize or parameterize the id GET parameter in the /wbms/admin/?page=user/manage_user route. The input is passed directly into a SQL query string, allowing for Union-Based SQL Injection.
While this requires the attacker to be logged into the admin panel, it represents a significant risk from "insider threats" or compromised sub-admin accounts, as it allows for vertical privilege escalation and full database extraction. |
|---|
| Quelle | ⚠️ https://github.com/renzortega1337/Security-Research-/blob/main/Authenticated%20SQL%20Injection%20in%20User%20Management.md |
|---|
| Benutzer | renzortega1337 (UID 98096) |
|---|
| Einreichung | 08.05.2026 15:26 (vor 27 Tagen) |
|---|
| Moderieren | 31.05.2026 10:24 (23 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 367516 [SourceCodester Water Billing Management System 1.0 User Management manage_user ID SQL Injection] |
|---|
| Punkte | 20 |
|---|