SourceCodester Indian Invoicing System Invoice Generation IGST_Invoice.php sql injection
Description
A vulnerability was found in SourceCodester Indian Invoicing System 1.0. This issue affects some unknown processing of the file /Invoicing/IGST_Invoice.php of the component Invoice Generation Handler. Performing a manipulation of the argument customer_name/category results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Second-order SQL injection in SourceCodester Indian Invoicing System 1.0 allows remote attackers to execute arbitrary SQL commands via stored payloads in customer_name or category fields.
Vulnerability
A second-order SQL injection vulnerability exists in SourceCodester Indian Invoicing System version 1.0. In /Invoicing/IGST_Invoice.php, when generating an invoice, the application retrieves the customer_name and category values from the orders table. These values are then used to construct SQL queries without sanitization or prepared statements: $custqry="select * from customers where customer_name='".$custname."'"; and $catqry="select * from category where category_id='".$categoryid."'";. Although the primary GET parameter id is checked with is_numeric(), the stored values are not validated, allowing previously injected data to trigger SQL injection. Version 1.0 is the only affected version, as reported in [1].
Exploitation
An attacker must first store a malicious payload into the customer_name or category fields via another vulnerable form, such as add_customer.php or orders.php, which lack input sanitization. The attacker can then send a POST request, e.g., with customer_name=Test' UNION SELECT 1,username,password,4,5,6 FROM users-- -. When a user accesses /Invoicing/IGST_Invoice.php for an invoice linked to that customer, the stored payload is retrieved and executed, allowing data exfiltration from other tables [1].
Impact
Successful exploitation enables remote execution of arbitrary SQL queries against the database. The attacker can read sensitive data (e.g., user credentials), modify database records, or escalate privileges, potentially leading to full administrative control of the application. The impact is critical, affecting confidentiality, integrity, and availability of the system.
Mitigation
As of the publication date, no patch has been released by SourceCodester; the vulnerability remains unpatched [1]. Mitigation requires rewriting the vulnerable queries in IGST_Invoice.php to use prepared statements or parameterized queries. Additionally, all forms that store data into the database should enforce strict input validation. Until a fix is applied, restrict access to the invoicing functionality and monitor for unauthorized data insertion. Due to the public exploit, replacing the software with a secure alternative is strongly recommended.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Second-order SQL injection: values retrieved from the database are concatenated directly into SQL queries without sanitization or parameterized queries."
Attack vector
An attacker first injects a malicious SQL payload into the `customer_name` or `category` field via a vulnerable entry point such as `add_customer.php` or `orders.php` [ref_id=1]. The payload is stored in the database. Later, when an administrator or user triggers `IGST_Invoice.php` (via the numeric `$_GET['id']` parameter), the application retrieves the stored value and concatenates it into a secondary SQL query without sanitization, causing the injected SQL to execute [ref_id=1]. The attack is performed remotely over HTTP with no special privileges required beyond the ability to submit data to the first-order forms [ref_id=1].
Affected code
The vulnerable endpoint is `/InvoicingSystem_PHP/Invoicing/IGST_Invoice.php`. The file retrieves `customer_name` and `category` values from the `orders` table and uses them directly in SQL queries without sanitization or prepared statements [ref_id=1]. Specifically, `$custname=$row["customer_name"]` is concatenated into `"select * from customers where customer_name='".$custname."'"`, and `$categoryid=$row["category"]` is concatenated into `"select * from category where category_id='".$categoryid."'"` [ref_id=1].
What the fix does
No patch has been published for this vulnerability [ref_id=1]. The advisory recommends replacing all `mysqli_query()` calls with parameterized queries using `mysqli_prepare()` and `bind_param()` to prevent SQL injection [ref_id=1]. Additionally, input validation and sanitization should be applied both at the point of entry (first-order) and before values retrieved from the database are used in queries (second-order) [ref_id=1].
Preconditions
- inputAttacker must be able to submit data to a first-order form (e.g., add_customer.php or orders.php) that stores values in the database
- networkThe IGST_Invoice.php endpoint must be reachable over HTTP
- authNo authentication or privilege requirement is specified; the advisory implies the attack can be performed with a valid session cookie
Reproduction
1. Send a POST request to `/InvoicingSystem_PHP/Invoicing/add_customer.php` with a malicious payload in the `customer_name` parameter, e.g.: `customer_name=Test'+UNION+SELECT+1,username,password,4,5,6+FROM+users--+-&customer_address=test&customer_gst=test` [ref_id=1]. 2. Navigate to `/InvoicingSystem_PHP/Invoicing/IGST_Invoice.php` with a valid `id` parameter that references the order containing the stored payload. The injected UNION query executes, and credential data is leaked into the invoice rendering context [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/c4ttr4ck/f60dfb9fc65a98ad6dde1840dc2c1a5emitreexploit
- vuldb.com/submit/813607mitrethird-party-advisory
- vuldb.com/vuln/365392mitrevdb-entrytechnical-description
- vuldb.com/vuln/365392/ctimitresignaturepermissions-required
- www.sourcecodester.commitreproduct
News mentions
0No linked articles in our index yet.