CVE-2008-5191
published 2008-11-21CVE-2008-5191: Multiple SQL injection vulnerabilities in SePortal 2.4 allow remote attackers to execute arbitrary SQL commands via the (1) poll_id parameter to poll.php and…
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
17.58%
96.8th percentile
Multiple SQL injection vulnerabilities in SePortal 2.4 allow remote attackers to execute arbitrary SQL commands via the (1) poll_id parameter to poll.php and the (2) sp_id parameter to staticpages.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| seportal | seportal | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlpoll.php?poll_id=1'+union+select+1,convert(concat_ws(0x3a3a,user_name,user_password)+using+latin1),1,1,1,1,1,1,1,1+from+seportal_users+limit+1,1/*↗
urlhttp://demo.seportal.org/poll.php?poll_id=1'+union+select+1,convert(concat_ws(0x3a3a,user_name,user_password)+using+latin1),1,1,1,1,1,1,1,1+from+seportal_users+limit+1,1/*↗
urlhttp://localhost/seportal2.5/staticpages.php?sp_id=1%27%20%20and+extractvalue%28rand%28%29,concat%280x7e,version%28%29%29%29--%20-↗
- →Detect SQL injection attempts against poll.php via the poll_id parameter — look for UNION SELECT payloads with convert/concat_ws functions targeting seportal_users table. ↗
- →Detect error-based SQL injection against staticpages.php via the sp_id parameter — look for extractvalue(rand(),concat(...)) or CONCAT/MID/IFNULL/CAST patterns in the sp_id query string. ↗
- →Monitor for POST requests to /admin/downloads.php with multipart/form-data containing a PHP file upload (action=savefile), which is the RCE step following session hijack via SQLi. ↗
- →Monitor GET requests to /data/down_media/*.php — uploaded PHP payloads are stored and executed from this path after exploitation. ↗
- →The Metasploit module uses a non-admin login to steal the admin session cookie (sessionid) via SQL injection on staticpages.php, then replays it to /admin/downloads.php — alert on session cookie reuse from different IPs. ↗
- →Use the Google dork 'Powered by SePortal 2.5' to identify exposed vulnerable installations for asset inventory and attack surface reduction. ↗
- ·The SQLi vulnerability in staticpages.php exists because sp_id is interpolated directly into the SQL query without sanitization — the vulnerable sink is the WHERE clause: WHERE sp_id = '".$sp_id."' ↗
- ·The Metasploit module targets SePortal 2.5 specifically; the original CVE-2008-5191 was disclosed against version 2.4 — both versions share the same vulnerable parameters (poll_id and sp_id). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-644v-hf89-5j5c: Multiple SQL injection vulnerabilities in SePortal 2
ghsa_unreviewed·2022-05-17
CVE-2008-5191 [HIGH] CWE-89 GHSA-644v-hf89-5j5c: Multiple SQL injection vulnerabilities in SePortal 2
Multiple SQL injection vulnerabilities in SePortal 2.4 allow remote attackers to execute arbitrary SQL commands via the (1) poll_id parameter to poll.php and the (2) sp_id parameter to staticpages.php.
VMware
Updated service console patches.
vendor_vmware·2008-01-07·CVSS 1.2
CVE-2007-3108 [LOW] Updated service console patches.
VMSA-2008-0001: Updated service console patches.
Updated service console patches. VMware Security Advisory VMware Security Advisory Advisory ID: VMware Security Advisory Synopsis: Updated service console patches. VMware Security Advisory Issue date: VMware Security Advisory Updated on:
CVEs: CVE-2007-3108, CVE-2007-4572, CVE-2007-5116, CVE-2007-5135, CVE-2007-5191, CVE-2007-5360, CVE-2007-5398
No detection rules found.
Exploit-DB
SePortal 2.5 - SQL Injection / Remote Code Execution (Metasploit)
exploitdb·2014-03-31
CVE-2008-5191 SePortal 2.5 - SQL Injection / Remote Code Execution (Metasploit)
SePortal 2.5 - SQL Injection / Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "SePortal SQLi Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in SePortal version 2.5.
When logging in as any non-admin user, it's possible to retrieve the admin session
from the database through SQL injection. The SQL injection vulnerability exists
in the "staticpages.php" page. This hash can be used to take over the admin
user session. After logging in, the "/admin/downloads.php" page will be used
to upload arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'jsass', # Discovery
'xistence ' # Metas
Exploit-DB
SePortal 2.5 - SQL Injection (2)
exploitdb·2014-03-19
CVE-2008-5191 SePortal 2.5 - SQL Injection (2)
SePortal 2.5 - SQL Injection (2)
---
####################################################################
Exploit: SePortal 2.5 Sql Injection Vulnerabilty
Author: jsass
Date : 19\03\2014
Contact Twitter: @Kwsecurity
Script: http://www.seportal.org/
version: 2.5
Tested on: Linux Ubuntu 12.4 & Windows 7
Dork : "Powered by SePortal 2.5"
//** Searching And Analysis By Kuwaity Crew **\\
####################################################################
SQL INJECTION Vulnerabilty
code :
$main_template = 'staticpages';
define('GET_CACHES', 1);
define('ROOT_PATH', './');
define('GET_USER_ONLINE', 1);
define('GET_STATS_BOX', 1);
include(ROOT_PATH.'global.php');
require(ROOT_PATH.'includes/sessions.php');
$sql = "SELECT *
FROM ".STATICPAGE_TABLE."
WHERE sp_id = '".$sp_id."'";
$result = $sit
Exploit-DB
SePortal 2.4 - 'poll_id' SQL Injection
exploitdb·2008-06-27
CVE-2008-5191 SePortal 2.4 - 'poll_id' SQL Injection
SePortal 2.4 - 'poll_id' SQL Injection
---
#########################################################################
#################### Viva IslaM Viva IslaM ##############################
##
## Remote SQL Injection Vulnerability
##
## SePortal V2.4 ( poll.php poll_id ) ( staticpages.php sp_id )
##
#########################################################################
#########################################################################
##
## AuTh0r : Mr.SQL
##
## H0ME : WwW.PaL-HaCkEr.CoM & WwW.ATsDp.CoM
##
## Email : [email protected]
##
## !! SYRIAN HaCkErS !!
########################
########################
##
## Script : SePortal V2.4
##
## site : www.seportal.org
##
## Download : http://www.seportal.org/downloads.php?action=showfile&id=1
##
########################
#########
Metasploit
SePortal SQLi Remote Code Execution
metasploit
SePortal SQLi Remote Code Execution
SePortal SQLi Remote Code Execution
This module exploits a vulnerability found in SePortal version 2.5. When logging in as any non-admin user, it's possible to retrieve the admin session from the database through SQL injection. The SQL injection vulnerability exists in the "staticpages.php" page. This hash can be used to take over the admin user session. After logging in, the "/admin/downloads.php" page will be used to upload arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/30865http://securityreason.com/securityalert/4623http://www.securityfocus.com/bid/29996http://www.securityfocus.com/bid/66315https://exchange.xforce.ibmcloud.com/vulnerabilities/43450https://www.exploit-db.com/exploits/5960http://secunia.com/advisories/30865http://securityreason.com/securityalert/4623http://www.securityfocus.com/bid/29996http://www.securityfocus.com/bid/66315https://exchange.xforce.ibmcloud.com/vulnerabilities/43450https://www.exploit-db.com/exploits/5960
2008-11-21
Published