SourceCodester Medicine Tracker System GET Parameter view_details.php sql injection

An attacker sends a crafted HTTP GET request to `/php-mts/app/medicines/view_details.php` with a malicious `id` parameter. The parameter value is not sanitized before being used in a SQL query, allowing the attacker to inject arbitrary SQL statements. Two proof-of-concept payloads are demonstrated: a UNION-based injection that extracts data via `concat(0x51525354,0x41424344,0x61626364)` and a time-based blind injection using `sleep(15)` to confirm the vulnerability through response delay [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication required.

The vulnerability exists in the file `/php-mts/app/medicines/view_details.php` [ref_id=1]. The GET parameter `id` is processed without sanitization before being used in a SQL query, allowing injection of arbitrary SQL statements.

No patch is provided in the bundle. The advisory does not include a fix. To remediate this vulnerability, the application should use prepared statements or parameterized queries for the `id` parameter in `view_details.php` instead of directly concatenating user input into SQL queries. Input validation and proper escaping of the `id` parameter would also prevent injection.

1. Send a GET request to `/php-mts/app/medicines/view_details.php?id=-1' union all select null,null,null,concat(0x51525354,0x41424344,0x61626364),null,null-- -` [ref_id=1]. 2. Observe that the response includes the concatenated string `QRSTABCDabcd` in the output, confirming UNION-based SQL injection. 3. Alternatively, send `id=1' and (select 2 from (select(sleep(15)))a) AND 'c'='c` and verify the server takes approximately 15 seconds to respond, confirming time-based blind SQL injection [ref_id=1].