Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Zoo Management System 1.0 - SQL Injection" module is designed to detect a SQL injection vulnerability in the Zoo Management System 1.0 software. This vulnerability allows an attacker to manipulate the username parameter on the login page, potentially gaining unauthorized access to sensitive information. The severity of this vulnerability is classified as critical.
This module was authored by arafatansari.
A successful exploitation of the SQL injection vulnerability in Zoo Management System 1.0 can lead to various consequences, including:
- Unauthorized access to sensitive information - Data manipulation or deletion - Potential compromise of the entire systemThe "Zoo Management System 1.0 - SQL Injection" module works by sending a crafted HTTP POST request to the "/admin/index.php" endpoint of the target system. The request includes a manipulated username parameter that triggers the SQL injection vulnerability. The module then checks for specific response conditions to determine if the vulnerability is present.
Example HTTP request:
POST /admin/index.php HTTP/1.1
Host: <Hostname>
Content-Type: application/x-www-form-urlencoded
username=admin%27+or+%271%27%3D%271&password=any&login=
The module uses two matching conditions to confirm the presence of the vulnerability:
- It checks the response body for the presence of specific keywords, such as "ZMS ADMIN," "Dashboard," and "Zoo Management System." - It verifies that the response status code is 200, indicating a successful request.If both conditions are met, the module reports the vulnerability.