| tiêu đề | code-projects Online Application System for Admission in PHP unknown SQL Injection |
|---|
| Mô tả | A SQL Injection vulnerability exists in the Online Application System for Admission in PHP (code-projects). Several server-side scripts (for example enrollment/index.php, enrollment/adminlogin.php, and enrollment/signupconfirm.php) build SQL statements by directly concatenating user-controlled input into queries without using parameterized queries or proper input sanitization. An attacker can inject crafted SQL payloads into form fields (e.g. login or search inputs) to alter the intended SQL logic, which may allow authentication bypass, unauthorized disclosure of sensitive data, modification or deletion of database records, and escalation of privileges.
Proof-of-Concept (example):
POST to the login endpoint with:
u_id: admin' OR '1'='1
u_ps: anything
If successful, the injected condition (' OR '1'='1) causes the WHERE clause to always evaluate true and may bypass authentication.
Impact:
Authentication bypass (including administrative accounts)
Data exfiltration (sensitive user records)
Data tampering or deletion
Potential lateral movement or further exploitation depending on DB privileges |
|---|
| Người dùng | imcoming (UID 95032) |
|---|
| Đệ trình | 30/01/2026 10:58 (cách đây 3 các tháng) |
|---|
| Kiểm duyệt | 07/02/2026 15:52 (8 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 344873 [code-projects Online Application System for Admission 1.0 Login Endpoint enrollment/index.php Tiêm SQL] |
|---|
| điểm | 17 |
|---|