CVE-2013-1748

PHP Address Book 8.2.5 - SQL Injection via edit.php or import.php Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-1748. PoCs published by CWH Underground.

AI-analyzed exploit summary The exploit demonstrates SQL injection and XSS vulnerabilities in PHP-Address Book <= 3.1.5. It provides functional exploit URLs for SQLi via union-based injection in view.php and edit.php, and XSS via the 'group' parameter in index.php.

Description

Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) edit.php or (2) import.php. NOTE: the view.php id vector is already covered by CVE-2008-2565.1 and the edit.php id vector is already covered by CVE-2008-2565.2.

Exploits (1)

exploitdb WORKING POC VERIFIED

by CWH Underground · textwebappsphp

https://www.exploit-db.com/exploits/5739

View Code ZIP pw:eip

The exploit demonstrates SQL injection and XSS vulnerabilities in PHP-Address Book <= 3.1.5. It provides functional exploit URLs for SQLi via union-based injection in view.php and edit.php, and XSS via the 'group' parameter in index.php.

Classification

Working Poc 95%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: PHP-Address Book <= 3.1.5

No auth needed

Prerequisites: Access to the target web application

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit mailing-list x_refsource_mlist

http://openwall.com/lists/oss-security/2013/04/17/2

Exploit mailing-list x_refsource_mlist

http://openwall.com/lists/oss-security/2013/04/17/5

Scores

EPSS 0.0102

EPSS Percentile 59.0%

Details

CWE

CWE-89

Status published

Products (1)

chatelao/php_address_book 8.2.5

Published Apr 18, 2013

Tracked Since Feb 18, 2026