Company Visitor Management System 1.0 - SQL Injection

What is the "Company Visitor Management System 1.0 - SQL Injection?"

The "Company Visitor Management System 1.0 - SQL Injection" module is designed to detect a SQL injection vulnerability in the Company Visitor Management System 1.0 software. This vulnerability allows an attacker to manipulate the login page's username parameter and potentially gain unauthorized access to sensitive information. The severity of this vulnerability is classified as critical, indicating the potential for significant harm if exploited. The module was authored by arafatansari.

Impact

If successfully exploited, the SQL injection vulnerability in the Company Visitor Management System 1.0 can lead to unauthorized access to sensitive information. This can include confidential data, user credentials, or other valuable assets stored within the system. The impact of such unauthorized access can be severe, potentially compromising the security and integrity of the entire system.

How the module works?

The module works by sending a crafted HTTP POST request to the target system's login page. The request includes a manipulated username parameter that attempts to exploit the SQL injection vulnerability. The module then checks the response for specific patterns to determine if the vulnerability is present.

For example, the module checks if the response body contains the words "Admin user," "Dashboard," and "CVMS" to confirm the successful login and presence of the Company Visitor Management System. Additionally, it verifies that the response status code is 200, indicating a successful request.

By analyzing the response and matching conditions, the module can accurately identify the presence of the SQL injection vulnerability in the Company Visitor Management System 1.0.