Submit #644702: SourceCodester Pet grooming management software 1.0 SQL Injectioninfo

TitleSourceCodester Pet grooming management software 1.0 SQL Injection
DescriptionTitle: Pet Grooming Management SQL Injection (Authenticated) on profit_report.php / salereport.php section Author: Kuldeep Sahu Date: 2025–08–30 Application: Pet Grooming Management System Affected Page: profit_report.php / sale_report.php – Profit Per Product/Service section Product Information:- Vendor Homepage: https://www.sourcecodester.com/ Software Link: [https://www.sourcecodester.com/php/xxxx/pet-grooming-management-system.html] Affected Version: <= v1.0 Vulnerability Summary An authenticated SQL Injection (SQLi) vulnerability was identified in the Pet Grooming Management System, specifically in the Profit Per Product/Service report. The product_id parameter in the POST request is unsanitized, allowing manipulation of the SQL query and retrieval of sensitive database information. Steps to Reproduce:- Step1:-Login using admin credentials. Step2:-Navigate to Reports → Profit Report → Profit Per Product/Service. Step3:-Select a product and click Search. Step4:-Intercept the POST request using a proxy (Burp Suite) Step5:-Copy the request and save in a file called req.txt for sqli automation test Step6:- sqlmap -r req.txt --level=3 --risk=2 --dbs --batch Then you can see we successfully fetch the database name using sqli vulnerbility. Root Cause:- File path:- admin/profit_report.php,sale_report.php Direct concatenation of user input $product_id into SQL query. PDO is used but without parameter binding, leaving the query vulnerable. Impact:- Full disclosure of database structure and sensitive business data. Ability to execute arbitrary queries, including extracting financial data. Potential pivot to other attacks like RCE if combined with other vulnerabilities. Recommended Mitigation:- Use parameterized queries with bound parameters. Validate input (product_id should be numeric and within valid ranges). Implement proper error handling; do not expose SQL errors to users.
Source⚠️ https://medium.com/@kuldeepsahoo877/vulnerability-report-sql-injection-in-pet-grooming-management-system-76bd514224ee
User
 Kuldeep (UID 89660)
Submission08/30/2025 20:00 (10 months ago)
Moderation09/07/2025 20:45 (8 days later)
StatusAccepted
VulDB entry323043 [SourceCodester Pet Grooming Management Software 1.0 /admin/profit_report.php product_id sql injection]
Points20

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!