CVE-2023-38839: [VULN] Unauthenticated SQLi in ID parameter of fulldelete.php · Issue #2 · kiduswb/minimati

An unauthenticated user can input SQL queries in the ID parameter to retrieve data. ID parameter is vulnerable to “time-based blind SQL injection”. Furthermore it is possible for an attacker to delete all the blog posts by injecting SQL commands.

I will explain both of them. lets start with deleting all the posts through SQL injection

Deleting all blog posts

SQL query in Minimati.php to delete a single blog post is :

DELETE FROM `blog` WHERE ID=$articleID

Now, if a user inputs 1 OR 1=1 in fulldelete.php for ID parameter, the query becomes :

DELETE FROM `blog` WHERE ID=1 OR 1=1

With 1=1, all the records in “blog” table will be selected for deletion.
The below image illustrates the whole process. As it can be seen, after running the bash script, MYSQL return "Empty set". The dangerous part is, an unauthenticated user can access "fulldelete.php".

Time-Based Blind SQL Injection

Time based injection can be used to retrieve data. Even though it is a time consuming process , there are tools which can make is easier. So an attacker won’t hesitate to exploit it.

To prove that time based SQL injection exists, consider the below query.
http://localhost/fulldelete.php?ID=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))vuln)
On execution, the page will wait for 5 or little more than 5 seconds before sending a response.

DELETE FROM `blog` WHERE ID=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))vuln)