CVE-2023-39344: Pre-Auth SQLi leading to RCE in Social Media Skeleton v1.0 in fobybus/social-media-skeleton

SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This particular SQLi vulnerability allows UNION based injections, which indirectly leads to RCE.

Improper authorization in a web application undermines its security by exposing sensitive functionalities and resources to unauthorized users. This particular authorization vulnerability allows an unauthorized user to access this resource. Improper authorization is a pervasive problem throughout this application.

The affected script takes a value via a POST request and eventually concatenates it in a SQL query. admin/login.php line 4-5

$uemail=$_POST[“email”];
$upass=$_POST[“password”];
This value is parsed as an array which can be manipulated to contain a malicious payload sell_return.php lines 8-9

$query="select * from admin where email=’$uemail’ and password=’$upass’";
$result=mysqli_query($dbcon,$query);
Affected URL/Area
/social-media-skeleton/admin/login.php

Risk Rating
Risk: HIGH
Difficulty to Exploit: LOW

report by Michael Blunt ([email protected])