GBook SQL injection vulnerability? Someone's been drunk...

Post by **Klemen** » Tue Aug 25, 2009 7:44 pm

Just thought I would share an anecdote with you.

It came to my attention that numerous reports have been spreading around the Web about a SQL injection vulnerability in GBook from PHPjunkyard, such as

##PHP junkyard Guestbook v1.6 (mes_id) Sql Injection Vuln.
##Yazar: Bgh7
##
##Turk Bilisim Gucleri / Ihlilal Hatti
##
##ByBgh7[a]Msn.Com
##
##Bgh7.Blogspot.Com
##
##Bug: Sql Injection
##
##Ä°ndir/Download: http://www.phpjunkyard.com/php-guestbook-script.php
##
##Not: $20.00 USD

Sql: site/guestbook.php?mes_id=-99999 UNION SELECT
0,1,2,concat_ws(user,0x3a,pass,0x3a,mail),4,5,6,7,8,9,10,11,12 FROM
jyuser--

The funny part is - GBook doesn't use a SQL database at all so SQL injection vulnerabilities are not even remotely possible. Looks like the script kiddie who calls himself "Bgh7" has been drunk while testing this...

Anyway, just thought I'd let you all know before someone gets a panic attack.

DC · Post by DC » Wed Aug 26, 2009 3:38 am

That is funny, I was thinking the same thing when I was reading the heading I was like what? SQL thats like the ignaramouses who try and breach my scripts with MSQL exploits what are these guys drinking? Klem are you sure you didn't buy them the beer as they must really be loaded ...

DC