36 lines
No EOL
1 KiB
Text
36 lines
No EOL
1 KiB
Text
# Exploit Title: Datenator 0.3.0 (event.php id) SQL Injection
|
|
# Date: 26.12.09
|
|
# Author: The_HuliGun
|
|
|
|
# Look on code in event.php:
|
|
|
|
22: if(isset($_GET['id']))
|
|
23: {
|
|
24: $event = $datenator->read_event_info($_GET['id']);
|
|
|
|
# Function read_event_info() is in file includes/functions.php
|
|
|
|
412: function read_event_info($event_id)
|
|
413: {
|
|
414: $sql = "SELECT * FROM
|
|
415: ".$this->getConfig('db_tableprefix')."events,
|
|
416: ".$this->getConfig('db_tableprefix')."events_repeat
|
|
417: WHERE
|
|
418: ".$this->getConfig('db_tableprefix')."events.event_id = ".$this->prepare_sql($event_id)." and
|
|
419: ".$this->getConfig('db_tableprefix')."events_repeat.repeat_event_id = ".$this->prepare_sql($event_id)."";
|
|
420:
|
|
421: $event_data=$this->db->Execute($sql);
|
|
422:
|
|
423: if($event_data) {
|
|
424: return $event_data;
|
|
...
|
|
|
|
# As you can see variable id is not filtered, so, we can use such exploit with any php settings:
|
|
|
|
http://[targethost]/[path]/event.php?id=[SQL]
|
|
|
|
# Bug discovered by The_HuliGun
|
|
|
|
# Greetz to: NaTka, hope you'll find yourself ;>
|
|
|
|
# See u soon! |