Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
> [Suggested description]
> Art Gallery Management System v1.0 was discovered to contain a SQL
> injection vulnerability via the viewid parameter on the enquiry page.
>
> ------------------------------------------
>
> [Additional Information]
> Step To Reproduce:
>
> 1. navigate to the admin login page and login with the valid username and password<admin : Test@123>.
> URL: http://localhost/Art-Gallery-MS-PHP/admin/login.php
>
> 2. Now navigate "ANSWER ENQUIRY" by clicking on the "ENQUIRY" option on the left sidebar.
>
> 3. Now click on any of the Product "View Details" buttons and you will redirect to the datail page.
>
> 4. Now insert a single quote ( ' ) on "viewid" parameter to break the database query, you will see the output is not shown.
>
> 5. Now inject the payload double single quote ('') in the "viewid" parameter to merge the
> database query and after sending this request the SQL query is successfully performed and the product is shown in the output.
>
> 6. For fetching the data from database we use the "sqlmap" tool.
>
> 7. Now intercept the request of below url and copy the request by click on "copy to file" option on right click and save this as "requests.txt" name.
> URL: http://localhost/Art-Gallery-MS-PHP/admin/view-enquiry-detail.php?viewid=1
>
> 8. Now to get current database data to use the below "sqlmap" command.
> Command: sqlmap -r requests.txt --random-agent -p editid --current-db --risk=3 --level=3 --batch
>
> 9. Now get all data of the database using the below "sqlmap" command.
> Command: sqlmap -r requests.txt --random-agent -p editid --dump --risk=3 --level=3 --dbms=mysql --batch
>
> ------------------------------------------
>
> [Vulnerability Type]
> SQL Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> https://phpgurukul.com/
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Art Gallery Management System Project in PHP - Art Gallery Management System Project in PHP - V 1.0
>
> ------------------------------------------
>
> [Affected Component]
> http://localhost/Art-Gallery-MS-PHP/admin/view-enquiry-detail.php?viewid=1
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> SQL Injection (SQLi) is a type of injection attack that makes it possible to execute malicious SQL statements. an attacker can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database.
>
> SQL injection attacks can be used to perform a variety of malicious actions, including:
> 1. Extracting sensitive data from the database, such as passwords, financial information, or personal information.
> 2. Modifying or deleting data from the database, potentially causing incorrect results or system failures.
> 3. Executing arbitrary commands on the database server, such as shutting down the server or creating new user accounts.
> 4. Gaining unauthorized access to the underlying operating system and taking complete control of the server.
>
> ------------------------------------------
>
> [Reference]
> https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/
> https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
>
> ------------------------------------------
>
> [Discoverer]
> Rahul Patwari
Use CVE-2023-24726.