SourceCodester Stock Management System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in SourceCodester's Stock Management System version 1.0. The issue resides in the admin sales view page, specifically within the ID parameter. This vulnerability allows remote attackers to inject arbitrary SQL queries, potentially leading to unauthorized data access. Exploitation of this vulnerability has been publicly disclosed.

Impact

Exploitation of this vulnerability allows attackers to extract sensitive information from the application's database, such as usernames and password hashes from the users table. This extracted data could be used for unauthorized access or other malicious activities.

Reproduction

To reproduce this vulnerability, log into a staff member account and navigate to the sales view page in the admin section. Once there, modify the ID parameter to include a UNION-based SQL injection payload. The response will reveal concatenated usernames and password hashes from the users table.