SourceCodester Sales and Inventory System SQL Injection Vulnerability in Check Customer Details Handler

A SQL injection vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the POST handler of the file check_customer_details.php, where the stock_name1 parameter is not properly sanitized. This flaw allows authenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data access. The vulnerability can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability allows for UNION-based, Boolean-based, and Time-based SQL injection, enabling attackers to exfiltrate database information, such as customer details and credentials, and to manipulate database queries for unauthorized purposes.

Reproduction

To reproduce this vulnerability, log into the application and send a POST request to check_customer_details.php with a crafted stock_name1 parameter. Alternatively, use sqlmap to automate the exploitation.