CVE-2008-4877

WebCards < 1.3 - SQL Injection via User Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-4877. PoCs published by t0pP8uZz.

AI-analyzed exploit summary This document describes a SQL injection vulnerability in WebCards <= 1.3, allowing remote attackers to bypass admin authentication by injecting SQL syntax into the login fields. It also outlines a method to upload a shell via the admin panel.

Description

SQL injection vulnerability in admin.php in WebCards 1.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the user parameter. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WRITEUP VERIFIED

by t0pP8uZz · textwebappsphp

https://www.exploit-db.com/exploits/6869

View Code ZIP pw:eip

This document describes a SQL injection vulnerability in WebCards <= 1.3, allowing remote attackers to bypass admin authentication by injecting SQL syntax into the login fields. It also outlines a method to upload a shell via the admin panel.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: WebCards <= 1.3

No auth needed

Prerequisites: Magic Quotes disabled · valid admin username (default: 'admin')

MITRE ATT&CK