CVE-2009-2308

Affiliation module for PunBB <= 1.1.0 - SQL Injection via in or out Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2308. PoCs published by Dante90.

AI-analyzed exploit summary This exploit demonstrates a blind SQL injection vulnerability in PunBB Affiliations.php OUT Mod <= v1.1. It uses time-based techniques to extract user password hashes by brute-forcing each character.

Description

Multiple SQL injection vulnerabilities in affiliates.php in the Affiliation (aka Affiliates) module 1.1.0 and earlier for PunBB allow remote attackers to execute arbitrary SQL commands via the (1) in or (2) out parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Dante90 · perlwebappsphp
https://www.exploit-db.com/exploits/9055

This exploit demonstrates a blind SQL injection vulnerability in PunBB Affiliations.php OUT Mod <= v1.1. It uses time-based techniques to extract user password hashes by brute-forcing each character.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: PunBB Affiliations.php OUT Mod <= v1.1
No auth needed
Prerequisites: Target URL with vulnerable PunBB Affiliations.php OUT Mod · User ID to extract password hash
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9055
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/55478
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35654
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/51437

Scores

EPSS 0.0118
EPSS Percentile 63.4%

Details

CWE
CWE-89
Status published
Products (2)
punres/affiliates_mod 1.0.0
punres/affiliates_mod < 1.1.0
Published Jul 02, 2009
Tracked Since Feb 18, 2026