SourceCodester Sales and Inventory System SQL Injection Vulnerability in Dashboard Component

A SQL injection vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the dashboard.php file, specifically within the search component. The vulnerability is triggered by manipulating the 'searchtxt' parameter in POST requests, allowing authenticated attackers to inject arbitrary SQL commands. This exploitation can be performed remotely, taking advantage of the application's inadequate input sanitization.

Impact

Exploitation of this vulnerability allows for Boolean-based or Time-based blind SQL injection, enabling attackers to infer and exfiltrate data from the MySQL database, such as user credentials, customer information, and sales records.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the dashboard. Use the search bar to submit SQL payloads via the 'searchtxt' parameter. Alternatively, intercept the request with a tool like sqlmap, which can automate the exploitation process.