Scribd
Upload
138 views3 pages

Admin SQL Injection Alert

The admin login page for a website is vulnerable to SQL injection attacks. An attacker could bypass the login page and gain unauthorized access to the admin panel by entering malicious SQL code as the username. This could allow the theft, modification, or deletion of sensitive user or organizational data. The development team needs to implement input validation and sanitization techniques like prepared statements to prevent SQL injection and conduct a security audit to find other vulnerabilities.

Uploaded by

bixowujy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
138 views3 pages

Admin SQL Injection Alert

The admin login page for a website is vulnerable to SQL injection attacks. An attacker could bypass the login page and gain unauthorized access to the admin panel by entering malicious SQL code as the username. This could allow the theft, modification, or deletion of sensitive user or organizational data. The development team needs to implement input validation and sanitization techniques like prepared statements to prevent SQL injection and conduct a security audit to find other vulnerabilities.

Uploaded by

bixowujy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
You are on page 1/ 3

Summary:

I find sql injection vulnerability on your website admin page

Bug Report:
SQL Injection on Admin Login Page

Issue summary:

The admin login page is vulnerable to SQL injection attacks.

Vulnerability Name:
SQL Injection on adminlogin page

Description:

1. SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere
with the queries that an application makes to its database.

2. It generally allows an attacker to view data that they are not normally able to retrieve.
This might include data belonging to other users, or any other data that the application
itself is able to access.

3. In many cases, an attacker can modify or delete this data, causing persistent changes
to the application's content or behavior.

Affected Resources/URL: https://skywings.co.uk/admin/skyadmin/index.php

Impact:
i. An attacker can use SQL injection attacks to bypass the login page and
gain unauthorized access to the admin panel. This can lead to data theft,
modification, or deletion, as well as other malicious activities

ii. A successful SQL injection attack can result in unauthorized access to sensitive data, such
as passwords, credit card details, or personal user information.

iii. Many high-profile data breaches in recent years have been the result of SQL injection
attacks, leading to reputational damage and regulatory fines.

iv. In some cases, an attacker can obtain a persistent backdoor into an organization's systems,
leading to a long-term compromise that can go unnoticed for an extended period

Recommondation
· The development team should immediately implement proper input validation and
sanitization techniques to prevent SQL injection attacks on the admin login page. This
can be done by using prepared statements or parameterized queries, or by using an
ORM framework that automatically sanitizes user input. The team should also conduct a
thorough security audit of the entire application to ensure that other vulnerabilities are
not present.

· if you safe & secure your website

Steps to reproduce:

1. Go to the admin login page.

2. In the username field, enter: ' or 1=1--

3. In the password field, enter any text.

4. Click on the login button.

Expected Result:

The login should fail as the username and password are incorrect.

Actual Result:

The user is logged in successfully, indicating that the SQL query is not properly sanitized and is
vulnerable to SQL injection attacks.

POC:
I am Ethical hacker from cyber security.

Awards:

money,swags

You might also like