| Название | SourceCodester Water Billing Management System in PHP/OOP Free Source Code 1.0 SQL Injection |
|---|
| Описание | The Water Billing Management System is vulnerable to an Authenticated SQL Injection flaw within the administrative dashboard. An attacker with valid low-level administrative credentials can manipulate the id parameter in the user management module to execute arbitrary SQL commands. This can lead to unauthorized data disclosure, including database versioning, structural information, and sensitive user records.
The application fails to properly sanitize or parameterize the id GET parameter in the /wbms/admin/?page=user/manage_user route. The input is passed directly into a SQL query string, allowing for Union-Based SQL Injection.
While this requires the attacker to be logged into the admin panel, it represents a significant risk from "insider threats" or compromised sub-admin accounts, as it allows for vertical privilege escalation and full database extraction. |
|---|
| Источник | ⚠️ https://github.com/renzortega1337/Security-Research-/blob/main/Authenticated%20SQL%20Injection%20in%20User%20Management.md |
|---|
| Пользователь | renzortega1337 (UID 98096) |
|---|
| Представление | 08.05.2026 15:26 (29 дни назад) |
|---|
| Модерация | 31.05.2026 10:24 (23 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 367516 [SourceCodester Water Billing Management System 1.0 User Management manage_user ИД SQL-инъекция] |
|---|
| Баллы | 20 |
|---|