Projectworlds Online Art Gallery Shop SQL Injection Vulnerability in adminHome.php

A SQL injection vulnerability has been identified in the Online Art Gallery Shop project version 1.0. The issue resides in the adminHome.php file, where the social_linked parameter is manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, allowing attackers to gain unauthorized access to the database, leak sensitive information, tamper with data, and potentially disrupt services.

Impact

Exploitation of this vulnerability allows for unauthorized database access, manipulation of database contents, and extraction of sensitive information. Such actions could lead to a complete compromise of the application and its data.

Reproduction

The vulnerability can be reproduced by sending a POST request to the admin/adminHome.php file with a crafted social_linked parameter. Several payloads can be used to exploit the SQL injection, including boolean-based blind, error-based, and time-based blind injection techniques. Tools like sqlmap can automate the exploitation process.

Remediation

To address this vulnerability, it is recommended to use prepared statements and parameter binding to prevent SQL injection. Additionally, input validation and filtering should be implemented to ensure user input conforms to expected formats. Minimizing database user permissions and conducting regular security audits can further enhance the application's security.