CVE-2008-0538

phpIP Management 4.3.2 - SQL Injection via Password and ID Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-0538. PoCs published by Charles Hooper.

AI-analyzed exploit summary This exploit demonstrates SQL injection vulnerabilities in phpIP 4.3.2, allowing unauthorized administrative access and information disclosure. The PoC includes a union-based SQLi for authentication bypass and another for dumping user credentials.

Description

Multiple SQL injection vulnerabilities in phpIP Management 4.3.2 allow remote attackers to execute arbitrary SQL commands via the (1) password parameter to login.php, the (2) id parameter to display.php, and unspecified other vectors. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Charles Hooper · textwebappsphp

https://www.exploit-db.com/exploits/4990

View Code ZIP pw:eip

This exploit demonstrates SQL injection vulnerabilities in phpIP 4.3.2, allowing unauthorized administrative access and information disclosure. The PoC includes a union-based SQLi for authentication bypass and another for dumping user credentials.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: phpIP 4.3.2

No auth needed

Prerequisites: Access to the login page · Valid username (e.g., 'phpip' or 'admin')

MITRE ATT&CK