CVE-2007-3526

Buddy Zone < 1.5 - SQL Injection via News ID, Category ID, or Member ID Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-3526. PoCs published by t0pP8uZz.

AI-analyzed exploit summary This exploit demonstrates SQL injection vulnerabilities in Buddy Zone Version 1.5 and prior. It provides multiple URLs with crafted SQL queries to extract admin and user credentials from the database.

Description

Multiple SQL injection vulnerabilities in Buddy Zone 1.5 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the news_id parameter to view_news.php, (2) the cat_id parameter to view_events.php, or (3) the member_id parameter to video_gallery.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by t0pP8uZz · textwebappsphp

https://www.exploit-db.com/exploits/4128

View Code ZIP pw:eip

This exploit demonstrates SQL injection vulnerabilities in Buddy Zone Version 1.5 and prior. It provides multiple URLs with crafted SQL queries to extract admin and user credentials from the database.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Buddy Zone Social Networking Script Version 1.5 and prior

No auth needed

Prerequisites: Access to the target web application

MITRE ATT&CK