| Title | SourceCodester Sales and Inventory System 1.0 SQL Injection |
|---|
| Description | A SQL Injection vulnerability exists in version 1.0 of the Inventory System, specifically within the view_customers.php component. The application fails to properly sanitize the searchtxt parameter in HTTP POST requests during the customer search process. This allows an authenticated attacker to inject and execute arbitrary SQL commands. As the backend database is MySQL, the vulnerability can be exploited using UNION-based, Boolean-based blind, and Time-based blind techniques to exfiltrate sensitive database content (such as customer PII and sales data) and enumerate the database schema. |
|---|
| Source | ⚠️ https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/SQLi-ViewCustomers-searchtxt.md |
|---|
| User | Anonymous User |
|---|
| Submission | 03/08/2026 15:14 (1 month ago) |
|---|
| Moderation | 03/22/2026 09:42 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352407 [SourceCodester Sales and Inventory System 1.0 HTTP POST Request /view_customers.php searchtxt sql injection] |
|---|
| Points | 20 |
|---|