CVE-2022-30828

Vulnerability

Wedding Management System v1.0, a PHP-based application by codeastro.com, contains a SQL injection vulnerability in the /admin/photos_edit.php file. The id parameter is directly incorporated into a SQL query without proper sanitization or parameterization, allowing an attacker to inject arbitrary SQL commands. The vulnerability is present in version 1.0 and is exposed in the admin interface [1].

Exploitation

An attacker can exploit this vulnerability by sending an HTTP GET request to /Wedding-Management/admin/photos_edit.php with a malicious id parameter. No authentication is required. For example, a payload such as id=-37%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ retrieves the current database name. The attack is straightforward and can be performed with a web browser or tool like cURL [1].

Impact

Successful exploitation allows an unauthenticated attacker to extract sensitive information from the database, such as database names, table contents, and potentially user credentials. The information disclosure can compromise the confidentiality of the system, leading to further attacks [1].

Mitigation

As of the publication date (2022-05-31), no official patch or update has been released by the vendor. Users should implement input validation and parameterized queries for the id parameter, or restrict access to the admin panel. The application may be end-of-life; migrating to a more secure alternative is recommended [1].