SourceCodester Sales and Inventory System SQL Injection Vulnerability in View Payments Component

A SQL injection vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the 'view_payments.php' file, specifically within the HTTP POST request handler. The vulnerability is triggered by manipulating the 'searchtxt' parameter, allowing authenticated attackers to inject and execute arbitrary SQL commands. This exploitation can be performed remotely, taking advantage of the application's inadequate input sanitization. The backend database is MySQL, enabling the use of Boolean-based or Time-based blind injection techniques to exfiltrate sensitive data and enumerate database structures.

Impact

Exploitation of this vulnerability allows for unauthorized SQL command execution, leading to potential data exfiltration from the MySQL database. Attackers could retrieve sensitive information such as payment records, customer details, and transaction history. Additionally, the vulnerability could be used to enumerate database tables and structures.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the payments view. Use the search functionality to submit SQL payloads through the 'searchtxt' parameter. Alternatively, capture the request with a tool like 'sqlmap' to automate the exploitation.