CVE-2012-5849

ClipBucket < 2.6 - SQL Injection via Multiple Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-5849. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The exploit demonstrates multiple SQL injection vulnerabilities in ClipBucket 2.6 Revision 738 via various parameters in the `/ajax.php` script and other endpoints. It includes PoC code for error-based and blind SQL injection techniques.

Description

Multiple SQL injection vulnerabilities in ClipBucket 2.6 Revision 738 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) uid parameter in an add_friend action to ajax.php; id parameter in a (2) share_object, (3) add_to_fav, (4) rating, or (5) flag_object action to ajax.php; cid parameter in an (6) add_new_item, (7) remove_collection_item, (8) get_item, or (9) load_more_items action to ajax.php; (10) ci_id parameter in a get_item action to ajax.php; user parameter to (11) user_contacts.php or (12) view_channel.php; (13) pid parameter to view_page.php; (14) tid parameter to view_topic.php; or (15) v parameter to watch_video.php.

Exploits (1)

exploitdb WORKING POC

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/23252

View Code ZIP pw:eip

The exploit demonstrates multiple SQL injection vulnerabilities in ClipBucket 2.6 Revision 738 via various parameters in the `/ajax.php` script and other endpoints. It includes PoC code for error-based and blind SQL injection techniques.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: ClipBucket 2.6 Revision 738

Auth required

Prerequisites: Network access to the target application · User registration may be required for some endpoints

MITRE ATT&CK