CVE-2008-2890

Online Fantasy Football League <= 0.2.6 - SQL Injection via fflteam_id, league_id, or player_id Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-2890. PoCs published by t0pP8uZz.

AI-analyzed exploit summary This is a writeup detailing SQL injection vulnerabilities in OFFL <= 0.2.6, providing specific exploit URLs to extract admin and user credentials via UNION-based SQLi. No executable code is present.

Description

Multiple SQL injection vulnerabilities in Online Fantasy Football League (OFFL) 0.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) fflteam_id parameter to teams.php, the (2) league_id parameter to leagues.php, and the (3) player_id parameter to players.php.

Exploits (1)

exploitdb WRITEUP VERIFIED

by t0pP8uZz · textwebappsphp

https://www.exploit-db.com/exploits/5889

View Code ZIP pw:eip

This is a writeup detailing SQL injection vulnerabilities in OFFL <= 0.2.6, providing specific exploit URLs to extract admin and user credentials via UNION-based SQLi. No executable code is present.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: OFFL <= 0.2.6

No auth needed

Prerequisites: Target running OFFL <= 0.2.6 · Access to vulnerable endpoints (teams.php, leagues.php, players.php)

MITRE ATT&CK