| Title | Yunlin: code-projects Prison Management System 2.0 SQL Injection |
|---|
| Description | In the `search.php` file of the Student Information Management System, the developer directly concatenates the value received from the user-supplied `keyname` parameter into the dynamic SQL query string without performing any sanitization, validation, or parameterization. Consequently, an attacker can craft malicious `keyname` input—such as inserting meta-characters (e.g., single quotes), UNION-based payloads, Boolean-based blind clauses, time-delay functions, or stacked queries—to subvert the original SQL logic and trigger a critical SQL-injection vulnerability. Exploiting this flaw not only allows unauthorized bypassing of authentication controls but also grants the attacker the ability to read, modify, or delete sensitive student records (e.g., full names, student IDs, national identification numbers, grades, home addresses) stored in the backend database. Furthermore, by leveraging database-specific privileged functions—such as MySQL’s `LOAD_FILE()` to read system files, `INTO OUTFILE` to write web shells, or Microsoft SQL Server’s `xp_cmdshell` to execute operating-system commands—the attacker can escalate the attack from the database layer to the underlying server, ultimately obtaining full system-level privileges. Once the server is compromised, it can be used as a lateral-movement pivot to infiltrate other critical internal systems, leading to catastrophic outcomes including large-scale data breaches, service outages, defacement, ransomware deployment, and long-term persistence within the network. |
|---|
| Source | ⚠️ https://github.com/asd1238525/cve/blob/main/SQL18.md |
|---|
| User | zakka (UID 41989) |
|---|
| Submission | 12/05/2025 08:23 (4 months ago) |
|---|
| Moderation | 12/12/2025 16:12 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 336209 [code-projects Prison Management System 2.0 /admin/search.php keyname sql injection] |
|---|
| Points | 20 |
|---|