SourceCodester Medicine Tracker System sql injection
Description
A vulnerability classified as critical was found in SourceCodester Medicine Tracker System 1.0. This vulnerability affects unknown code of the file /classes/Master.php?f=save_medicine. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-270010 is the identifier assigned to this vulnerability.
Affected products
2=1.0+ 1 more
- (no CPE)range: =1.0
- (no CPE)range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and lack of parameterized queries in the `id` POST parameter allow SQL injection."
Attack vector
An attacker sends a crafted POST request to `/classes/Master.php?f=save_medicine` with a malicious `id` parameter [ref_id=1]. The parameter is not sanitized or parameterized, enabling time-based blind SQL injection [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication required, and the payload `id=' AND (SELECT 8594 FROM (SELECT(SLEEP(5)))EJYb) AND 'npqn'='npqn` demonstrates the injection by causing a 5-second database sleep [ref_id=1].
Affected code
The vulnerable code resides in `/php-mts/classes/Master.php`, specifically in the `save_medicine` function triggered via the `?f=save_medicine` action [ref_id=1]. The POST parameter `id` is passed unsanitized into a SQL query, allowing an attacker to inject arbitrary SQL statements [ref_id=1].
What the fix does
No patch has been published by the vendor. The advisory recommends using parameterized queries (prepared statements) or input validation on the `id` parameter to prevent SQL injection [ref_id=1]. Until a fix is released, developers should replace all dynamic SQL constructions in `Master.php` with bound parameters.
Preconditions
- networkThe application must be publicly accessible or reachable by the attacker over the network.
- authNo authentication or session is required; the vulnerable endpoint is exposed to unauthenticated users.
- inputThe attacker must be able to send arbitrary POST data to /classes/Master.php?f=save_medicine.
Reproduction
1. Navigate to `/php-mts/app/?page=medicines/manage_medicine` and intercept the save request with Burp Suite [ref_id=1]. 2. Save the intercepted request as `master.txt`. 3. Run `sqlmap -r master.txt --batch --dbs` against the captured request [ref_id=1]. 4. sqlmap will identify the `id` POST parameter as vulnerable to time-based blind SQL injection and extract database contents [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/jadu101/CVE/blob/main/SourceCodester_Medicine_Tracker_System_Master_php_sqli.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.