APBoard 2.1.0 / board.php?id= SQL Injection

vendor:

APBoard

by:

secret

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: APBoard

Affected Version From: 2.1.0

Affected Version To: 2.1.0

Patch Exists: N/A

Related CWE: N/A

CPE: a:php-programs.de:apboard:2.1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Microsoft OS

2010

APBoard 2.1.0 / board.php?id= SQL Injection

APBoard 2.1.0 / board.php?id= SQL Injection is a vulnerability that allows an attacker to inject malicious SQL code into a vulnerable web application. This can be exploited to gain access to sensitive data stored in the database, or to modify the data stored in the database. The vulnerability is present in versions 2.1.0 and earlier of APBoard. The exploit is triggered by sending a specially crafted HTTP request to the vulnerable web application, containing malicious SQL code. The malicious code is then executed by the web application, allowing the attacker to gain access to sensitive data or modify the data stored in the database.

Mitigation:

To mitigate this vulnerability, ensure that all user input is properly sanitized and validated before being used in any SQL queries.

Source

Exploit-DB raw data:

############################################################################################################# 
## APBoard 2.1.0  / board.php?id= SQL Injection                                           ## 
## Author         : secret - mohammed.atta@hotmail.com                                   ## 
## Homepage       : http://swissfaking.net/                                             ## 
## Date           : 05 August, 2010                                                    ## 
############################################################################################################# 
  ____ ____ _____ ___   ____ ______   ____ ___   ___    _  __ 
  / __// __// ___// _ \ / __//_  __/  /  _// _ \ / _ |  / |/ / 
 _\ \ / _/ / /__ / , _// _/   / /    _/ / / , _// __ | /    / 
/___//___/ \___//_/|_|/___/  /_/____/___//_/|_|/_/ |_|/_/|_/  
                               /___/                           
  
#################################################### 
# APBoard 2.1.0  / board.php?id= SQL Injection
#################################################### 
# Discovered by : secret 
# Site          : http://swissfaking.net/ 
# Dork          : APBoard 2.1.0 © 2003-2010 APP - Another PHP Program
# Vendor        : http://www.php-programs.de/ 
# Version       : 2.1.0 and earlier 
# Exploit       : http://www.yoursite.de/board/board.php?id=X[SQL INJECTION]
# Tested on     : Microsoft OS
  
e.g. http://server/board/board.php?id=6[get union columns&USERS'] (-sqlinjection)
   
######################################################################################## 
  
#note : IRAN owns - mohammed.atta@hotmail.com