Edu Business Solutions Print Shop Pro WebDesk SQL Injection Vulnerability

A blind time-based SQL injection vulnerability has been identified in Edu Business Solutions Print Shop Pro WebDesk version 18.34. The issue resides in the 'hfInventoryDistFormID' parameter of the '/PSP/appNET/Store/CartV12.aspx/GetUnitPrice' endpoint. This vulnerability allows remote attackers to execute arbitrary SQL commands by injecting unsanitized input into SQL queries, which are executed without proper parameterization or escaping.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data, database manipulation, privilege escalation, or remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the '/PSP/appNET/Store/CartV12.aspx/GetUnitPrice' endpoint with the 'hfInventoryDistFormID' parameter set to '1 waitfor delay'0:0:20'--'. This payload will cause the server to delay its response by 20 seconds, indicating that the SQL injection was successful. The response will include a stack trace, further confirming the vulnerability.

Remediation

It is recommended to use parameterized queries or prepared statements to sanitize inputs, implement strict input validation and filtering, restrict database permissions for web applications to only what is necessary, and keep dependencies and database management systems updated.