Vulnerability Name: SQL Injection on [Parameter] at [Domain name]
Vulnerability Description: SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details.
[SQL payload to fetch the db]
Steps to Reproduce:
Go to the [URL].
Use the above payload
SQL payload to fetch the db on
Intercept the request with burp and check the response.
You should see the database there
This is SQL Injection.
Snapshots or video link attached
Impact: There are a number of things an attacker can do when exploiting an SQL injection on a vulnerable website. Usually, it depends on the privileges of the user the web application uses to connect to the database server. By exploiting an SQL injection vulnerability, an attacker can:
Add, delete, edit or read content in the database
Read source code from files on the database server
Write files to the database server
It all depends on the capabilities of the attacker.
Attack Scenario: [Create your own attack scenario according to the workflow of website]
The best way is input validation.
Using Prepared Statements as SQL Injection Prevention.
If possible try using a WAF.