| Titre | code-projects Online FIR System In PHP 1.0 SQL Injection |
|---|
| Description | A SQL Injection vulnerability exists in the Online FIR System in PHP within the authentication functionality.
The vulnerability occurs in the login processing component located at:
/Online_FIR_System/Login/checklogin.php
The application processes user-supplied input through the email and password parameters during login. The email parameter is directly used in backend SQL queries without proper validation, sanitization, or parameterization.
Testing confirmed that the email parameter is vulnerable to time-based SQL injection, indicating that attacker-controlled SQL expressions are executed by the database engine.
By injecting a crafted payload into the email parameter, an attacker can manipulate the SQL query structure. In the provided request, a delay-based payload using the SLEEP() function was used:
[email protected]'+(select*from(select(sleep(20)))a)+'
When the request is processed, the server response is delayed by approximately 20 seconds, confirming successful SQL injection.
Because the application does not properly sanitize input or use prepared statements, it allows attackers to execute arbitrary SQL queries. |
|---|
| La source | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Online%20FIR%20System%20PHP%20email%20Parameter.md |
|---|
| Utilisateur | AhmadMarzouk (UID 95993) |
|---|
| Soumission | 23/03/2026 18:21 (il y a 17 jours) |
|---|
| Modérer | 06/04/2026 10:09 (14 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 355488 [code-projects Online FIR System 1.0 Login /Login/checklogin.php email/password injection SQL] |
|---|
| Points | 20 |
|---|