SourceCodester Sales and Inventory System SQL Injection Vulnerability in Update Sales Component

A SQL injection vulnerability has been identified in SourceCodester Sales and Inventory System version 1.0. The issue resides in the 'update_sales.php' file, where the 'sid' parameter in the HTTP GET request is not properly sanitized. This flaw allows authenticated attackers to inject arbitrary SQL commands, potentially leading to unauthorized data access or manipulation. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries to exfiltrate, modify, or delete database information. The vulnerability supports UNION-based, Boolean-based, and Time-based blind SQL injection techniques.

Reproduction

To reproduce this vulnerability, log into the application and send a crafted HTTP request to 'update_sales.php' with a SQL injection payload in the 'sid' parameter. Alternatively, use SQLMap to automate the exploitation.