CVE-2013-0135

PHP Address Book 8.2.5 - SQL Injection via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 11 public exploits for CVE-2013-0135. PoCs published by Jurgen Voorneveld.

AI-analyzed exploit summary The provided text describes a SQL injection vulnerability in PHP Address Book 8.2.5, specifically in the POST parameter 'email' of the user registration endpoint. It lacks actual exploit code but references the vulnerability details and affected version.

Description

Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) addressbook/register/edit_user_save.php; the email parameter to (4) addressbook/register/edit_user_save.php, (5) addressbook/register/reset_password.php, (6) addressbook/register/reset_password_save.php, or (7) addressbook/register/user_add_save.php; the username parameter to (8) addressbook/register/checklogin.php or (9) addressbook/register/reset_password_save.php; the (10) lastname, (11) firstname, (12) phone, (13) permissions, or (14) notes parameter to addressbook/register/edit_user_save.php; the (15) q parameter to addressbook/register/admin_index.php; the (16) site parameter to addressbook/register/linktick.php; the (17) password parameter to addressbook/register/reset_password.php; the (18) password_hint parameter to addressbook/register/reset_password_save.php; the (19) var parameter to addressbook/register/traffic.php; or a (20) BasicLogin cookie to addressbook/register/router.php.

Exploits (11)

exploitdb WRITEUP VERIFIED
by Jurgen Voorneveld · textwebappsphp
https://www.exploit-db.com/exploits/38433

The provided text describes a SQL injection vulnerability in PHP Address Book 8.2.5, specifically in the POST parameter 'email' of the user registration endpoint. It lacks actual exploit code but references the vulnerability details and affected version.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PHP Address Book 8.2.5
No auth needed
Prerequisites: Access to the registration endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Jurgen Voorneveld · textwebappsphp
https://www.exploit-db.com/exploits/38432

The provided text describes a SQL injection vulnerability in PHP Address Book 8.2.5, where unsanitized user input in the 'var' parameter of traffic.php can be exploited. However, no actual exploit code is included, only a description and a sample URL.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PHP Address Book 8.2.5
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Jurgen Voorneveld · textwebappsphp
https://www.exploit-db.com/exploits/38431

The provided text describes a SQL injection vulnerability in PHP Address Book 8.2.5, where insufficient input sanitization in the 'BasicLogin' cookie variable allows attackers to manipulate SQL queries. No actual exploit code is included, only a description and reference link.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PHP Address Book 8.2.5
No auth needed
Prerequisites: Access to the target application's registration endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Jurgen Voorneveld · textwebappsphp
https://www.exploit-db.com/exploits/38430

The provided text describes a SQL injection vulnerability in PHP Address Book 8.2.5, where unsanitized user input in the reset_password_save.php script can be exploited. The writeup includes a sample URL demonstrating the vulnerable parameters but lacks actual exploit code.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PHP Address Book 8.2.5
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Jurgen Voorneveld · textwebappsphp
https://www.exploit-db.com/exploits/38429

The provided text describes a SQL injection vulnerability in PHP Address Book 8.2.5, where unsanitized user input in the 'email' and 'password' parameters of the reset_password.php script can be exploited. No actual exploit code is included, only a description and a URL template for exploitation.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PHP Address Book 8.2.5
No auth needed
Prerequisites: Access to the target application's reset_password.php endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Jurgen Voorneveld · textwebappsphp
https://www.exploit-db.com/exploits/38428

The provided text describes a SQL injection vulnerability in PHP Address Book 8.2.5, where the 'site' parameter in 'linktick.php' is not properly sanitized. It lacks actual exploit code but references the vulnerability and its potential impact.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PHP Address Book 8.2.5
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Jurgen Voorneveld · textwebappsphp
https://www.exploit-db.com/exploits/38427

This is a vulnerability writeup describing SQL injection vulnerabilities in PHP Address Book 8.2.5. It provides a URL template demonstrating how unsanitized input parameters can be exploited but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PHP Address Book 8.2.5
No auth needed
Prerequisites: Access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Jurgen Voorneveld · textwebappsphp
https://www.exploit-db.com/exploits/38426

The provided text describes a SQL injection vulnerability in PHP Address Book 8.2.5, where the 'id' parameter in 'edit_user.php' is not properly sanitized. It lacks actual exploit code, serving only as a vulnerability description.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PHP Address Book 8.2.5
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Jurgen Voorneveld · textwebappsphp
https://www.exploit-db.com/exploits/38425

The provided text describes a SQL injection vulnerability in PHP Address Book 8.2.5, where the 'id' parameter in 'delete_user.php' is not properly sanitized. No actual exploit code is included, only a description and a sample URL.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PHP Address Book 8.2.5
No auth needed
Prerequisites: Access to the target URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Jurgen Voorneveld · textwebappsphp
https://www.exploit-db.com/exploits/38434

The provided text describes a SQL injection vulnerability in PHP Address Book 8.2.5, where unsanitized user input in the 'username' parameter of 'checklogin.php' can be exploited. No actual exploit code is included, only a description and a sample URL.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PHP Address Book 8.2.5
No auth needed
Prerequisites: Access to the target application's registration page
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Jurgen Voorneveld · textwebappsphp
https://www.exploit-db.com/exploits/38435

The provided text describes a SQL injection vulnerability in PHP Address Book 8.2.5, where unsanitized user input in the 'q' parameter of 'admin_index.php' can be exploited. However, no actual exploit code is included, only a description and a sample URL.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PHP Address Book 8.2.5
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/183692
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/99623

Scores

EPSS 0.0298
EPSS Percentile 85.5%

Details

CWE
CWE-89
Status published
Products (1)
chatelao/php_address_book 8.2.5
Published Apr 09, 2013
Tracked Since Feb 18, 2026