Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SQL injection Seir Anphin v666 Community Management System

from [vulnerabilities] Network Security [Permanent Link]
Subject: SQL injection Seir Anphin v666 Community Management System
Date: 30 Jul 2006 12:57:05 -0000 
CR Advisory#1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 programm: Seir Anphin v666 Community Management System
      bug: SQL injection
home page: www.comeplaydying.com
bug found: 27.07.2006

discovered by CR
www.svt.nukleon.us
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~! Details !~
============================================================================================
index.php
^^^^^^^^^

[code]
....
if (isset($HTTP_GET_VARS['styleid'])) {
 $styleid = $HTTP_GET_VARS['styleid'];
 $dbr->query("UPDATE {$dbr->p}user_options SET skin=$styleid WHERE 
userid=$userinfo[userid]");
.....
[/code]

Variable $userinfo is not filtered on presence dangerous symbol, thank that, 
possible 
produce SQL injection


[code]
.....
function loadskin($skinid)
{
   GLOBAL $dbr,$data;

   $dbr->query("SELECT * FROM {$dbr->p}skins WHERE skinid=$skinid");
.....
[/code]

Variable $skinid is not filtered on presence dangerous symbol, thank that, 
possible 
produce SQL injection
============================================================================================
article.php
^^^^^^^^^^^

[code]
....
if ($this->id != 0) {
                $a['breadcrumbs'] = '';
                $catid = $this->id;
                $c = 1;
                while ($c <= getsetting('max_crumb_depth')) {
                        if ($catid == 0) break;
                        $dbr->query("SELECT 
parentid,name,accesslvl_to_read,accesslvl_to_contribute,archive_mode FROM 
{$dbr->p}article_categories WHERE catid=$catid");
                        $cat = $dbr->getarray();
                        $crumb_array[] = array('id'=>$catid, 
'name'=>stripslashes($cat['name']), 
'accesslvl_to_read'=>$cat['accesslvl_to_read'], 
'accesslvl_to_contribute'=>$cat['accesslvl_to_contribute']);
                        $catid = $cat['parentid'];
                        $c++;

                }
....
[/code]

Variable $catid is not filtered on presence dangerous symbol, thank that, 
possible 
produce SQL injection


[code]
....
foreach ($HTTP_POST_VARS['orders'] as $pageid=>$displayorder) {
                        // Ensure, at this level, that user has admin, editor 
or author permission to do this.
                        $pass = FALSE;
                        if (isadmin() || iseditor()) $pass = TRUE;
                        $articleid = $dbr->result("SELECT articleid FROM 
{$dbr->p}article_pages WHERE pageid=$pageid");
                        $authorid  = $dbr->result("SELECT userid    FROM 
{$dbr->p}articles      WHERE articleid=$articleid");
                        if ($data->vars['user']['userid'] == $authorid) $pass = 
TRUE;
                        if ($pass) $dbr->query("UPDATE {$dbr->p}article_pages 
SET displayorder=$displayorder WHERE pageid=$pageid");
                }
....
[/code]

Variable $pageid, $articleid are not filtered on presence dangerous symbol, 
thank that, 
possible produce SQL injection


============================================================================================
blag.php
^^^^^^^^^^^

[code]
.....
if ($this->id != 0) {
        $userid = $dbr->result("SELECT userid FROM {$dbr->p}user_blogs WHERE 
blogid=$blogid");
        if (!isadmin() && $data->vars['user']['userid'] == $userid) {
                setstatus('access_denied');
                $this->id = $blogid;
                return $this->show();
        }
}
....
[/code]

Variable $blogid is not filtered on presence dangerous symbol, thank that, 
possible 
produce SQL injection


[code]
....
$dbr->query("SELECT p.blogid, b.locked, b.allow_comments, b.isprivate, b.userid
             FROM {$dbr->p}user_blog_posts p
             LEFT JOIN {$dbr->p}user_blogs b ON b.blogid=p.blogid
             WHERE p.postid=$postid");
....
[/code]

Variable $postid is not filtered on presence dangerous symbol, thank that, 
possible 
produce SQL injection


============================================================================================
example
^^^^^^^^^^^
http://www.example.com/index.php?m='
http://www.example.com/index.php?m=member&id='
http://www.example.com/index.php?m=article&id='
http://www.example.com/index.php?m=article&op=read&id='
http://www.example.com/index.php?m=blog&id='
http://www.example.com/index.php?m=blog&op=getpost&id='

============================================================================================
                              CR [ www.svt.nukleon.us ] 2006 ã.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • SQL injection Seir Anphin v666 Community Management System, vulnerabilities <=
Previous by Date:  Re: cpanel login problem, usar_y_tirar
Next by Date:  Re: [Full-disclosure] Re: Do world's famous companies take care of their security?, Valery Marchuk
Previous by Thread:  PHPAuction 2.1 (maybe higher) with phpAdsNew 2.0.5 RFI, philipp . niedziela
Next by Thread:  Oracle and Apache mod_rewrite Vulnerability, tigerblue
Indexes:  [Date] [Thread] [Top] [All Lists]