CVE-2008-4900

YourFreeWorld Classifieds Blaster Script - SQL Injection via tr.php id Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-4900. PoCs published by Hussin X.

AI-analyzed exploit summary This exploit demonstrates a remote SQL injection vulnerability in Classifieds Blaster by injecting a UNION-based SQL query to extract admin credentials (username and password) from the 'adminsettings' table. The payload is appended to the 'id' parameter in the URL, leveraging the application's failure to sanitize user input.

Description

SQL injection vulnerability in tr.php in YourFreeWorld Classifieds Blaster Script allows remote attackers to execute arbitrary SQL commands via the id parameter.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Hussin X · textwebappsphp

https://www.exploit-db.com/exploits/6944

View Code ZIP pw:eip

This exploit demonstrates a remote SQL injection vulnerability in Classifieds Blaster by injecting a UNION-based SQL query to extract admin credentials (username and password) from the 'adminsettings' table. The payload is appended to the 'id' parameter in the URL, leveraging the application's failure to sanitize user input.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Classifieds Blaster (version unspecified)

No auth needed

Prerequisites: Access to the vulnerable web application · The 'tr.php' endpoint must be exposed and vulnerable

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Hussin X · textwebappsphp

https://www.exploit-db.com/exploits/6936

View Code ZIP pw:eip

This exploit demonstrates a SQL injection vulnerability in Banner Management script via the 'id' parameter in 'tr.php'. The payload uses a UNION-based SQLi to extract database information including user, version, and database name.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Banner Management script (version unspecified)

No auth needed

Prerequisites: Access to the vulnerable 'tr.php' endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/6944

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/49600

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/32062

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2008/2981

Scores

EPSS 0.0101

EPSS Percentile 58.6%

Details

CWE

CWE-89

Status published

Products (1)

yourfreeworld/classifieds_blaster_script

Published Nov 04, 2008

Tracked Since Feb 18, 2026