| tiêu đề | SourceCodester Sales and Inventory System 1.0 SQL Injection |
|---|
| Mô tả | A SQL Injection vulnerability exists in version 1.0 of the Inventory System, specifically within the view_product.php component. The application fails to properly sanitize the searchtxt parameter in HTTP POST requests triggered during the product search functionality. This allows an authenticated attacker to inject and execute arbitrary SQL commands. As the backend database is MySQL, the vulnerability can be exploited using UNION-based (11 columns), Boolean-based blind, and Time-based blind injection techniques. Successful exploitation allows attackers to bypass authentication by reading administrator credentials, exfiltrate sensitive database content such as users, orders, and supplier information, and enumerate the underlying database schema. |
|---|
| Nguồn | ⚠️ https://github.com/meifukun/Web-Security-PoCs/blob/main/Inventory-System/SQLi-ViewProduct-searchtxt.md |
|---|
| Người dùng | Anonymous User |
|---|
| Đệ trình | 08/03/2026 15:17 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 22/03/2026 09:43 (14 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 352409 [SourceCodester Sales and Inventory System 1.0 HTTP POST Request /view_product.php searchtxt Tiêm SQL] |
|---|
| điểm | 20 |
|---|