CVE-2024-36779 - SQL Injection in Sourcecodester Stock Management System v1. (editCategories.php)

A critical SQL Injection vulnerability—CVE-2024-36779—has been identified in the popular open-source project, Sourcecodester Stock Management System v1.. The flaw sits in the editCategories.php script, letting attackers tamper with, dump, or destroy database data.

In this post, we’ll break down how this bug happens, show a proof-of-concept, and explain the real-world risks. We keep everything simple, so whether you’re a developer, admin, or just interested in security, you’ll know what’s up and what to do next.

What Is SQL Injection?

SQL Injection is a security blunder where *input from users gets inserted right into SQL queries without being cleaned or “sanitized.”* This lets an attacker trick the database into running commands they choose: sometimes just reading sensitive info, other times changing or deleting data.

Where’s the Vulnerability?

editCategories.php is used for editing product categories in the Stock Management System. The script grabs a category id straight from user input and uses it to fetch the category’s info from the database.

Let’s look at a simplified snippet from the vulnerable file

<?php
// editCategories.php

include('db_connect.php');

if(isset($_GET['id'])){
    $id = $_GET['id'];
    $query = "SELECT * FROM categories WHERE id = $id";
    $result = mysqli_query($conn, $query);
    $row = mysqli_fetch_assoc($result);
    // ... more code ...
}
?>

Notice how $id is taken right from the URL ($_GET['id']) and thrown into the SQL statement with *no* validation.

Let’s see what an attacker can do. They can craft a link like

http://<TARGET>/editCategories.php?id=1 UNION SELECT 1,2,version(),4--

This input hijacks the original SQL and tacks on their own code. Now, instead of just getting category 1, the query returns the MySQL version and other info.

A more destructive injection could look like

http://<TARGET>/editCategories.php?id=1; DROP TABLE users;--

If the backend allows multi-queries, this would *delete* the users table entirely!

SQLMap can quickly test and exploit this

sqlmap -u "http://<TARGET>/editCategories.php?id=1" --batch --dbs

This command automatically detects and dumps database names.

Exploit Details:

Exploit Database - CVE-2024-36779 Entry

Project Source:

Sourcecodester Stock Management System v1. on SourceForge

NVD Entry:

NVD - CVE-2024-36779

How to Fix

If you use this system, drop what you’re doing and patch NOW.

Immediate fix: Always sanitize user input!

Here’s how you can do it with prepared statements

if(isset($_GET['id'])){
    $id = $_GET['id'];
    $stmt = $conn->prepare("SELECT * FROM categories WHERE id = ?");
    $stmt->bind_param("i", $id);
    $stmt->execute();
    $result = $stmt->get_result();
    $row = $result->fetch_assoc();
}

This code never lets attackers sneak in their own SQL, even with wild inputs.

Final Thoughts

The SQL Injection in Sourcecodester Stock Management System is easy to exploit and carries deep consequences. If you use this software, update your code immediately. SQL Injection is still one of the top ways attackers burst into sites and steal the crown jewels.

Stay safe: sanitize all user inputs, use prepared statements, and check your apps for these easy-to-miss flaws.

Share this post with your team, and double-check your own systems for similar bugs.

*(If you want to learn more, check the references above or try out the PoC in a safe, non-production environment.)*


*Exclusive write-up by [Assistant], 2024. For educational use only.*

Timeline

Published on: 06/06/2024 13:15:31 UTC
Last modified on: 08/20/2024 16:35:20 UTC