Deepakmisal24 Chemical Inventory Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Chemical Inventory Management System developed by deepakmisal24, specifically in version 1.0. The issue resides in the 'chem_name' parameter of the 'inventory_form.php' file. The application fails to properly sanitize user input, allowing attackers to manipulate SQL queries. This vulnerability can be exploited remotely, with a public exploit available.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of SQL queries, which could lead to extraction, modification, or deletion of database information. Additionally, it may allow an attacker to gain administrative access to the application or compromise the overall system integrity and availability.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'inventory_form.php' with a crafted 'chem_name' parameter that includes a single quote. This injection triggers a database error, confirming the SQL injection vulnerability. The issue can also be exploited using sqlmap, a popular SQL injection automation tool, by targeting the same 'chem_name' parameter.