SourceCodester Simple POS and Inventory System search.php sql injection
Description
A vulnerability was found in SourceCodester Simple POS and Inventory System 1.0. The impacted element is an unknown function of the file /user/search.php. Performing a manipulation of the argument Name results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows remote attackers to extract credentials via union-based payloads in search.php.
Vulnerability
The vulnerability resides in /user/search.php of SourceCodester Simple POS and Inventory System version 1.0. The name POST parameter is directly interpolated into a LIKE SQL query without sanitization or parameterization, enabling UNION-based SQL injection [1].
Exploitation
An attacker can exploit this by sending a POST request to /user/search.php with a crafted name parameter containing a SQL injection payload. No authentication is required. For example, the payload %' UNION SELECT 1,username,password,4,5,6 FROM user WHERE access=1 LIMIT 1-- - extracts the administrator's username and MD5 password hash from the database [1].
Impact
Successful exploitation allows the attacker to retrieve administrative credentials (username and MD5 password hash), leading to full compromise of the application. Additionally, the same endpoint is also vulnerable to reflected XSS, but the primary impact here is information disclosure and potential privilege escalation [1].
Mitigation
As of the publication date, no patch is available for version 1.0. The vendor recommends using prepared statements or parameterized queries to prevent SQL injection. Users should apply input validation and output encoding to mitigate the risk [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Direct interpolation of user-supplied input into a SQL LIKE query without escaping or parameterization."
Attack vector
An attacker sends a POST request to /user/search.php with a crafted name parameter containing SQL injection payloads. The name value is directly interpolated into a LIKE SQL query without escaping [ref_id=1]. The PoC demonstrates a UNION-based payload that extracts administrator credentials (username and MD5 password hash) from the user table [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication required beyond a valid session cookie.
Affected code
The vulnerable endpoint is /user/search.php, specifically the handling of the POST parameter name [ref_id=1]. The file /user/search_result.php is also affected via the GET parameter id [ref_id=1]. The code directly interpolates user input into a LIKE SQL query without escaping or parameterization.
What the fix does
No patch has been published for this vulnerability [ref_id=1]. The recommended remediation is to replace all raw SQL queries with parameterized prepared statements using mysqli_prepare(), and to apply htmlspecialchars() with ENT_QUOTES and UTF-8 encoding on all database values before rendering them in the UI [ref_id=1]. Additionally, the id parameter in search_result.php should be cast to an integer and search terms should have enforced length limits [ref_id=1].
Preconditions
- networkAttacker must be able to send HTTP POST requests to the /user/search.php endpoint.
- inputAttacker must supply a crafted name parameter containing SQL injection payload.
Reproduction
Send the following POST request to the vulnerable server (replace Host and Cookie values as appropriate):
POST /user/search.php HTTP/1.1 Host: localhost:8082 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
ss=1&name=%25'%20UNION%20SELECT%201,username,password,4,5,6%20FROM%20user%20WHERE%20access=1%20LIMIT%201--%20-
The response will include the administrator's username and MD5 password hash in the search results [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/c4ttr4ck/24c157c90227c3f5cd5e5d871449fed8mitreexploit
- vuldb.com/submit/813614mitrethird-party-advisory
- vuldb.com/vuln/365428mitrevdb-entrytechnical-description
- vuldb.com/vuln/365428/ctimitresignaturepermissions-required
- www.sourcecodester.commitreproduct
News mentions
0No linked articles in our index yet.