ycf1998 Money-Pos SQL Injection Vulnerability in Orderby Parameter

A SQL injection vulnerability has been identified in the ycf1998 Money-Pos system, affecting multiple query interfaces prior to the author's fix on September 14, 2025. The vulnerability allows remote attackers to execute arbitrary code by injecting payloads into the orderby parameter. The affected interfaces include roles, brand, goods, orders, members, and users.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing arbitrary code on the server.

Reproduction

To reproduce this vulnerability, deploy the Money-Pos system version prior to the fix on September 14, 2025. After logging into the application, navigate to the role management section under system management. Use Burp Suite to intercept the request and inject a payload into the orderBy parameter, such as 'id, and sleep(1)'. The successful injection can be confirmed by a delayed response time, indicating that the payload was executed.

Remediation

The vulnerability has been fixed in the latest version of the Money-Pos system. For users of previous versions, it is recommended to update to the latest version.