CVE-2023-23163: CVE/CVE-2023-23163.txt at main · rahulpatwari/CVE

> [Suggested description] > Art Gallery Management System Project v1.0 was discovered to contain a > SQL injection vulnerability via the editid parameter. > > ------------------------------------------ > > [Additional Information] > Step To Reproduce: > > 1. navigate to admin login page and login with the valid username and password<admin:Test@123>. > URL: http://localhost/Art-Gallery-MS-PHP/admin/login.php > 2. Now navigate “Manage ART TYPE” by clicking on “ART TYPE” option on left side bar. > 3. Now click on any of the Art Type “Edit” button and you will redirect to the edit page of art type. > 4. Now insert a single quote ( ' ) on “editid” parameter to break the database query, you will see the output is not shows. > > 3. Now inject the payload double single quote (‘’) in the “editid” parameter to merge the > database query and after sending this request the SQL query is successfully performed and product is shows in the output. > > 4. Now find how many column are returns by the SQL query. this query will return 6 column. > Payload:editid=6%27order%20by%203%20–%20- > > 5. for manually get data of database insert the below payload to see the user of the database. > payload: editid=-6%27union%20all%20select%201,user(),3–%20- > > 6.now to get all database data use below “sqlmap” command to fetch all the data. > Command: sqlmap http://localhost/Art-Gallery-MS-PHP/admin/edit-art-type-detail.php?editid=6 --cookie="PHPSESSID=hub8pub9s5c1j18cva9594af3q" --dump-all --batch > > ------------------------------------------ > > [Vulnerability Type] > SQL Injection > > ------------------------------------------ > > [Vendor of Product] > https://phpgurukul.com/ > > ------------------------------------------ > > [Affected Product Code Base] > Art Gallery Management System Project in PHP - Art Gallery Management System Project in PHP - V 1.0 > > ------------------------------------------ > > [Affected Component] > http://localhost/Art-Gallery-MS-PHP/admin/edit-art-type-detail.php?editid=1 > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Impact Code execution] > true > > ------------------------------------------ > > [Impact Escalation of Privileges] > true > > ------------------------------------------ > > [Impact Information Disclosure] > true > > ------------------------------------------ > > [Attack Vectors] > SQL Injection (SQLi) is a type of injection attack that makes it possible to execute malicious SQL statements. an attacker can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database. > > SQL injection attacks can be used to perform a variety of malicious actions, including: > 1. Extracting sensitive data from the database, such as passwords, financial information, or personal information. > 2. Modifying or deleting data from the database, potentially causing incorrect results or system failures. > 3. Executing arbitrary commands on the database server, such as shutting down the server or creating new user accounts. > 4. Gaining unauthorized access to the underlying operating system and taking complete control of the server. > > ------------------------------------------ > > [Reference] > https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/ > https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip > > ------------------------------------------ > > [Discoverer] > Rahul Patwari Use CVE-2023-23163.