Submit #471674: Attendance Tracking Management System (PHP & MySQL) 1.0 SQL Injectioninfo

TitleAttendance Tracking Management System (PHP & MySQL) 1.0 SQL Injection
DescriptionInitial Observation Researchers noticed abnormal query responses when modifying the parameter attendance_id (in practice, labeled as course_id in the actual request) in /admin/report.php. Root Cause Input from course_id is used directly in SQL queries without proper cleansing or validation. Attackers can embed malicious SQL statements by manipulating the parameter, thereby gaining unauthorized access to or control of the database. If successfully exploited, this SQL injection can result in: Unauthorized Database Access: Attackers read or retrieve sensitive information. Data Leakage: Confidential records such as attendance logs or user info may be exposed. Data Manipulation: Potential to create, update, or delete rows maliciously. System Disruption: Use of time-based (SLEEP) queries could degrade performance or crash services. Wider Network Risks: Lateral movement if privileged credentials are compromised.
Source⚠️ https://github.com/matias-a11y/cve/issues/2
User
 mxh9934 (UID 73328)
Submission12/29/2024 15:25 (2 years ago)
Moderation12/29/2024 16:45 (1 hour later)
StatusAccepted
VulDB entry289770 [1000 Projects Attendance Tracking Management System 1.0 /admin/report.php attendance_report course_id sql injection]
Points20

Do you need the next level of professionalism?

Upgrade your account now!