SQL Injection vulnerability from phpgurukul Student Project Allocation System 1.0 (add_project.php)

CVE-2024-10423

In Project Worlds Student Project Allocation System 1.0 è stato trovato un punto critico di livello critico. É interessato una funzione sconosciuta del file /student/project_selection/project_selection.php del componente Project Selection Page. La manipolazione del parametro project_id di un input sconosciuto se causa una vulnerabilità di classe sql injection. L’advisory è scaricabile da github.com. Questo punto di criticità è identificato come CVE-2024-10423. L’attacco si effettua con la rete.

Affected Project: Student Project Allocation System 1.0

Official Website: https://projectworlds.in/student-project-allocation-system-using-php-with-source-code/

Version: 1.0

Related Code file: add_project.php

Injection parameter: project_id

Vulnerability Description

When adding project, project_id parameter is vulnerable to SQL injection vulnerability.

Demonstration

Below is how project_selection.php looks like:

Screenshot from 2024-10-26 14-19-41

Click on Add and intercept the traffic using Burp Suite:

Screenshot from 2024-10-26 14-28-13

Now copy-paste the traffic and save it in to add_project.req and run sqlmap against it: sqlmap -r add_project.req --batch --dbms mysql --level 5 --risk 3 -p project_id

sqlmap automatically exploits the vulnerability:

Screenshot from 2024-10-26 14-29-00

👨‍💻👾👨‍💻👾👨‍💻👾

Explorer

CVE-2024-10423

SQL Injection vulnerability from phpgurukul Student Project Allocation System 1.0 (add_project.php)

CVE-2024-10423

Vulnerability Description

Demonstration

Graph View

Table of Contents

Backlinks