CVE-2023-24726: CVE/CVE-2023-24726.txt at main · rahulpatwari/CVE

> [Suggested description] > Art Gallery Management System v1.0 was discovered to contain a SQL > injection vulnerability via the viewid parameter on the enquiry page. > > ------------------------------------------ > > [Additional Information] > Step To Reproduce: > > 1. navigate to the admin login page and login with the valid username and password<admin : Test@123>. > URL: http://localhost/Art-Gallery-MS-PHP/admin/login.php > > 2. Now navigate “ANSWER ENQUIRY” by clicking on the “ENQUIRY” option on the left sidebar. > > 3. Now click on any of the Product “View Details” buttons and you will redirect to the datail page. > > 4. Now insert a single quote ( ' ) on “viewid” parameter to break the database query, you will see the output is not shown. > > 5. Now inject the payload double single quote (‘’) in the “viewid” parameter to merge the > database query and after sending this request the SQL query is successfully performed and the product is shown in the output. > > 6. For fetching the data from database we use the “sqlmap” tool. > > 7. Now intercept the request of below url and copy the request by click on “copy to file” option on right click and save this as “requests.txt” name. > URL: http://localhost/Art-Gallery-MS-PHP/admin/view-enquiry-detail.php?viewid=1 > > 8. Now to get current database data to use the below “sqlmap” command. > Command: sqlmap -r requests.txt --random-agent -p editid --current-db --risk=3 --level=3 --batch > > 9. Now get all data of the database using the below “sqlmap” command. > Command: sqlmap -r requests.txt --random-agent -p editid --dump --risk=3 --level=3 --dbms=mysql --batch > > ------------------------------------------ > > [Vulnerability Type] > SQL Injection > > ------------------------------------------ > > [Vendor of Product] > https://phpgurukul.com/ > > ------------------------------------------ > > [Affected Product Code Base] > Art Gallery Management System Project in PHP - Art Gallery Management System Project in PHP - V 1.0 > > ------------------------------------------ > > [Affected Component] > http://localhost/Art-Gallery-MS-PHP/admin/view-enquiry-detail.php?viewid=1 > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Impact Code execution] > true > > ------------------------------------------ > > [Impact Escalation of Privileges] > true > > ------------------------------------------ > > [Impact Information Disclosure] > true > > ------------------------------------------ > > [Attack Vectors] > SQL Injection (SQLi) is a type of injection attack that makes it possible to execute malicious SQL statements. an attacker can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database. > > SQL injection attacks can be used to perform a variety of malicious actions, including: > 1. Extracting sensitive data from the database, such as passwords, financial information, or personal information. > 2. Modifying or deleting data from the database, potentially causing incorrect results or system failures. > 3. Executing arbitrary commands on the database server, such as shutting down the server or creating new user accounts. > 4. Gaining unauthorized access to the underlying operating system and taking complete control of the server. > > ------------------------------------------ > > [Reference] > https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/ > https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip > > ------------------------------------------ > > [Discoverer] > Rahul Patwari Use CVE-2023-24726.