| Title | code-projects Accounting System in PHP 1.0 SQL Injection |
|---|
| Description | The Accounting System in PHP 1.0 is vulnerable to a Time-Based Blind SQL Injection vulnerability in the cos_id parameter of the /my_account/delete.php endpoint. The application fails to properly validate and sanitize user-supplied input before including it in SQL queries executed by the backend database.
The cos_id parameter is used to identify and delete customer records. However, the application directly incorporates this parameter into an SQL query without proper input validation or the use of prepared statements. This allows attackers to inject malicious SQL commands into the query.
An attacker can exploit this vulnerability by supplying specially crafted SQL payloads within the cos_id parameter. By leveraging database delay functions such as SLEEP(), an attacker can cause the server to delay its response for a measurable period of time. This confirms that the injected SQL statements are executed by the backend database.
Because the application does not display database error messages, attackers can exploit this vulnerability using a time-based blind SQL injection technique, where information about the database is inferred based on differences in server response time.
Successful exploitation may allow attackers to enumerate database structures, extract sensitive information such as user or administrative data, manipulate database records, or perform other unauthorized database operations depending on the privileges of the database account used by the application.
The vulnerability exists due to insufficient input validation and the absence of parameterized SQL queries when handling user-controlled input. |
|---|
| Source | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Time-Based%20Blind%20SQL%20Injection%20Accounting%20System%20in%20PHP%20in%20cos_id%20Parameter.md |
|---|
| User | AhmadMarzook (UID 96211) |
|---|
| Submission | 03/09/2026 18:21 (26 days ago) |
|---|
| Moderation | 03/25/2026 15:24 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 353140 [code-projects Accounting System 1.0 /my_account/delete.php cos_id sql injection] |
|---|
| Points | 20 |
|---|