SourceCodester Sales and Inventory System SQL Injection Vulnerability in View Customers Component

A SQL injection vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the 'view_customers.php' file, specifically within the HTTP POST request handling. The vulnerability is triggered by manipulating the 'searchtxt' parameter, allowing authenticated attackers to inject and execute arbitrary SQL commands. This exploitation can be performed remotely, and the injected SQL can be used to exfiltrate sensitive data from the MySQL database, including customer personal information, credentials, and sales data. Additionally, the vulnerability allows for database enumeration, where attackers can identify database tables, columns, and schema details.

Impact

Exploitation of this vulnerability allows for direct SQL injection into the application's database, with the potential to exfiltrate sensitive information such as customer personal data, credentials, and sales records. The vulnerability also facilitates database enumeration, enabling attackers to gather information about the database structure and contents.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Customers List' page. Once there, use the search bar to submit SQL injection payloads through the 'searchtxt' parameter. This can also be automated using a tool like SQLMap, targeting the same parameter to exploit the SQL injection vulnerability.