Contact Manager 1.0 'femail' Parameter SQL Injection

2017.09.18
Credit: Ihsan Sencan
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# # # # # # Exploit Title: Contact Manager 1.0 - SQL Injection # Dork: N/A # Date: 15.09.2017 # Vendor Homepage: http://savsofteproducts.com/ # Software Link: http://www.contactmanagerscript.com/download/contact_manager_1380185909.zip # Demo: http://contactmanagerscript.com/demo/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Vulnerable Source: # # ............. # <a href="login.php?forgot=1">Forgot Password ?</a> # <?php # if(isset($_REQUEST["forgot"])){ # if($_REQUEST["forgot"]=="2"){ # $result=mysql_query("select * from co_setting where Email='$_REQUEST[femail]' "); # $count=mysql_num_rows($result); # if($count==1) # # { # # $npass=rand("5556","99999"); # # $to = $row['femail']; # $subject = "Password Reset"; # $message = "New Primary Password is: $npass \r\n"; # $headers = "From: $Email"; # # $npass=md5($npass); # # $query="update co_setting set Password='$npass' where Email='$_REQUEST[femail]'"; # mysql_query($query); # ............. # # Proof of Concept: # # http://localhost/[PATH]/login.php?forgot=2&femail=[SQL] # # Etc.. # # # # #


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top