An attacker can inject arbitrary SQL commands into the database by injecting a parameter into the URL. For example, an attacker can inject the following URL to enable administrator privileges into the database: http://example.com/admin/article/list?sql_mode=Select&article_id=1 An attacker can also inject arbitrary SQL commands by injecting a parameter into the URL. For example, an attacker can inject the following URL to enable administrator privileges into the database: http://example.com/admin/article/list An attacker can also exploit the vulnerability by injecting a parameter directly into the URL. For example, an attacker can inject the following URL to enable administrator privileges into the database: http://example.com/admin/article/list An attacker can also exploit the vulnerability by injecting a parameter directly into the URL. For example, an attacker can inject the following URL to enable administrator privileges into the database: http://example.com/admin/article/list An attacker can also exploit the vulnerability by uploading a file with a malicious SQL query via the file upload functionality. For example, an attacker can upload the following file to enable administrator privileges into the database: http://example.com/admin/article/list?sql_mode=Select&article_id=1
Vulnerable Code:
SELECT * FROM article WHERE article_id=1
The attacker can now use the following code to execute a SELECT statement: http://example.com/admin/article/list?sql_mode=Select&article_id=1
Proof of concept (database injection)
A proof of concept for the vulnerability is available at https://github.com/brngnlabs/CVE-2022-38272
Timeline
Published on: 09/09/2022 14:15:00 UTC
Last modified on: 09/13/2022 16:52:00 UTC