CVE-2008-0371

aliTalk 1.9.1.1 - SQL Injection via mohit, id, or username Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-0371. PoCs published by tomplixsee.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in ALITALK v1.9.1.1, including SQL injection, password change bypass, user registration bypass, and admin/user login SQL injection. It provides specific code snippets and example URLs to exploit these vulnerabilities.

Description

Multiple SQL injection vulnerabilities in aliTalk 1.9.1.1, when magic_quotes_gpc is disabled, allow remote authenticated users to execute arbitrary SQL commands via (1) the mohit parameter to (a) inc/receivertwo.php; and allow remote attackers to execute arbitrary SQL commands via (2) the id parameter to (b) inc/usercp.php, related to functionz/usercp.php; or (3) the username parameter to (c) admin/index.php, related to functionz/first_process.php, or (d) index.php. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WORKING POC VERIFIED

by tomplixsee · textwebappsphp

https://www.exploit-db.com/exploits/4922

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in ALITALK v1.9.1.1, including SQL injection, password change bypass, user registration bypass, and admin/user login SQL injection. It provides specific code snippets and example URLs to exploit these vulnerabilities.

Classification

Working Poc 95%

Attack Type

Sqli | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: ALITALK v1.9.1.1

Auth required

Prerequisites: Access to the target application · Valid user credentials for certain exploits

MITRE ATT&CK