SourceCodester Stock Management System SQL Injection Vulnerability in Back Order View

A critical SQL injection vulnerability has been identified in SourceCodester Stock Management System version 1.0. The issue arises in the Back Order management page, specifically within the admin interface. The vulnerability allows remote attackers to inject arbitrary SQL commands through the 'id' parameter, potentially leading to unauthorized data access or manipulation. Exploitation of this vulnerability is relatively easy and has been publicly disclosed, with a proof-of-concept exploit available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, such as extracting sensitive information from the database. In this case, the vulnerability can be exploited to access data from the 'users' table, including usernames and MD5 hashed passwords.

Reproduction

To reproduce this vulnerability, navigate to the admin Back Order management page. The vulnerability can be triggered by manipulating the 'id' parameter in the URL. Once the SQL injection is successful, a UNION-based payload can be used to extract sensitive data from the database.