| Title | SourceCodester Sales and Inventory System 1.0 SQL Injection |
|---|
| Description | A SQL Injection vulnerability exists in version 1.0 of the Inventory System. The vulnerability is located in the update_supplier.php component. The application fails to properly sanitize the sid parameter in HTTP GET requests before utilizing it in database queries. This allows an authenticated attacker to inject arbitrary SQL commands. As the backend database is MySQL, an attacker can leverage UNION-based, Boolean-based blind, and Time-based blind injection techniques to successfully exfiltrate sensitive database content and enumerate the database schema. |
|---|
| Source | ⚠️ https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/SQLi-UpdateSupplier-sid.md?plain=1 |
|---|
| User | Anonymous User |
|---|
| Submission | 03/08/2026 15:00 (1 month ago) |
|---|
| Moderation | 03/22/2026 09:42 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352405 [SourceCodester Sales and Inventory System 1.0 HTTP GET Request /update_supplier.php sid sql injection] |
|---|
| Points | 20 |
|---|