CVE-2023-23155
📋 TL;DR
This SQL injection vulnerability in Art Gallery Management System 1.0 allows attackers to execute arbitrary SQL commands via the username parameter in the admin login page. This can lead to authentication bypass, data theft, or complete system compromise. Anyone using this specific PHP application version is affected.
💻 Affected Systems
- Art Gallery Management System Project in PHP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover: attacker gains admin access, extracts all database content (including user credentials), and potentially executes arbitrary code on the server.
Likely Case
Authentication bypass leading to unauthorized admin access, followed by data exfiltration or manipulation of gallery content.
If Mitigated
Attack fails due to input validation or WAF blocking malicious SQL patterns.
🎯 Exploit Status
Simple SQL injection via POST parameter. Public proof-of-concept available in GitHub gist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch exists. Replace vulnerable code with parameterized queries or input validation.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd input validation to sanitize username parameter before SQL query execution.
Modify login.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM admin WHERE username = ?'); $stmt->bind_param('s', $username);
Web Application Firewall (WAF)
allDeploy WAF rules to block SQL injection patterns in login requests.
Add WAF rule: Detect and block SQL keywords in POST parameters
🧯 If You Can't Patch
- Isolate the system behind VPN or restrict access to trusted IP addresses only.
- Implement strong authentication (MFA) for admin access and monitor login attempts.
🔍 How to Verify
Check if Vulnerable:
Test admin login page with SQL injection payload: username=admin' OR '1'='1Check Version:
Check project files for version information or review source code for vulnerable login.phpVerify Fix Applied:
Attempt SQL injection after implementing parameterized queries - should return login failure instead of bypass.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed login attempts with SQL patterns
- Successful admin login from unexpected IP
Network Indicators:
- POST requests to login.php containing SQL keywords (UNION, SELECT, OR, --)
- Abnormal response patterns from login endpoint
SIEM Query:
source=web_logs AND uri="/admin/login.php" AND (post_param="*UNION*" OR post_param="*SELECT*" OR post_param="*OR '1'='1*")🔗 References
- https://gist.github.com/y0gesh-verma/3de9b3e3f0d2b63c07e6704e232d9620
- https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/
- https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
- https://gist.github.com/y0gesh-verma/3de9b3e3f0d2b63c07e6704e232d9620
- https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/
- https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
