SourceCodester Sales and Inventory System SQL Injection Vulnerability in Purchase Invoice Component

A SQL injection vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the purchase_invoice.php file, specifically within the GET parameter purchaseid. This vulnerability allows authenticated attackers to manipulate the parameter and execute arbitrary SQL commands, potentially leading to unauthorized data access. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for UNION-based, Boolean-based, and Time-based SQL injection, enabling attackers to exfiltrate database information, such as sensitive data, and potentially manipulate database contents.

Reproduction

To reproduce this vulnerability, log into the application and send a crafted HTTP GET request to purchase_invoice.php, injecting SQL into the purchaseid parameter. Alternatively, use sqlmap to automate the exploitation.