| Title | sourcecodester Petrol pump management software 1.0 SQL Injection |
|---|
| Description | The Petrol Pump Management Software available on SOURCECODESTER is vulnerable to an Unauthenticated SQL Injection attack through its /admin/edit_supplier.php endpoint. This security flaw is due to the application's improper handling and sanitization of user-supplied input in the id parameter. By exploiting this vulnerability, attackers can craft malicious SQL queries that the application will execute without validation. The provided proof of concept demonstrates how an attacker can use a UNION SELECT query to retrieve sensitive information from the database, such as data from the /etc/passwd file or the database version, by injecting into the id parameter. This type of vulnerability poses a significant risk as it can lead to unauthorized access to sensitive data, database manipulation, or even a complete system compromise. The addition of credits to Russel James Avenido alongside Joshua Lictan suggests a collaborative effort in identifying and reporting this critical vulnerability. It underscores the need for rigorous input validation, the use of prepared statements, and proper authentication mechanisms to protect web applications from SQL Injection attacks. |
|---|
| Source | ⚠️ https://github.com/skid-nochizplz/skid-nochizplz/blob/main/TrashBin/CVE/SOURCECODESTER%20Petrol%20pump%20management%20software/edit_supplier.php%20SQL%20Injection.md |
|---|
| User | nochizplz (ID 64302) |
|---|
| Submission | 2024-02-29 05:26 (3 months ago) |
|---|
| Moderation | 2024-03-01 07:54 (1 day later) |
|---|
| Status | Przyjęty |
|---|
| VulDB Entry | 255376 |
|---|