CVE-2009-3500

BPowerHouse BPGames 1.0 - SQL Injection via cat_id or game_id Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3500. PoCs published by OoN Boy.

AI-analyzed exploit summary This exploit demonstrates a blind SQL injection vulnerability in BPGames 1.0. It uses time-based techniques to extract data from the database by iterating through possible characters for each position in the target column.

Description

Multiple SQL injection vulnerabilities in BPowerHouse BPGames 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) cat_id parameter to main.php and (2) game_id parameter to game.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by OoN Boy · perlwebappsphp

https://www.exploit-db.com/exploits/9838

View Code ZIP pw:eip

This exploit demonstrates a blind SQL injection vulnerability in BPGames 1.0. It uses time-based techniques to extract data from the database by iterating through possible characters for each position in the target column.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: BPGames 1.0

No auth needed

Prerequisites: Target URL with vulnerable BPGames installation · Valid ID parameter for SQL injection

MITRE ATT&CK

T1505 - Server Software Component T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/36828

Exploit x_refsource_misc

http://packetstormsecurity.org/0909-exploits/bpgames-sql.txt

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/2742

Scores

EPSS 0.0099

EPSS Percentile 57.9%

Details

CWE

CWE-89

Status published

Products (1)

bpowerhouse/bpgames 1.0

Published Sep 30, 2009

Tracked Since Feb 18, 2026