| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Jul 2007 19:35:33 +0300
From: ls@...ima.serapis.net
To: full-disclosure@...ts.grok.org.uk
Subject: Re: MkPortal - Multiple SQL Injection
Vulnerabilities
Can someone explain the idea behind
http://www.wslabi.com/wabisabilabi/initPublishedBid.do?
It seems all the exploits they are selling are now available to the public,
And at any case once they publish new items for sale it will probably wont take more than a week
Before someone finds it.
So what is the point there ?
Also, how come no new exploits are being added there ?
Tried to call them , no answer ,
Is this site an hoax ?
-----Original Message-----
From: does_not_exist@...-esp.kicks-ass.net [mailto:does_not_exist@...-esp.kicks-ass.net]
Sent: Thursday, July 12, 2007 4:05 PM
Subject: MkPortal - Multiple SQL Injection Vulnerabilities
We tried very hard to find wslabis mkportal SQL Injection but after ten
minutes of "research" we decided that it is hopeless to find exactly
the same bug and therefore we release a compilation of
mkportal sql injections for the interested reader.
Some of them are junk because you need a moderator acc but
the rest is exploitable by a normal user.
Some of the bugs can lead to user defined file deletions and command-exec bugs.
Sorry wslabi but 500$ for a bug in
this script is just a bad joke...
File: /modules/urlobox/index.php
1 . function delete_urlo()
$id = $mkportals->input['idurlo'];
$DB->query("DELETE FROM mkp_urlobox WHERE id = $id");
File: /modules/reviews/index.php
1. function update_file()
$iden= $mkportals->input['iden'];
$query = $DB->query("SELECT idauth FROM mkp_reviews WHERE id = $iden");
2. function del_file()
$iden= $mkportals->input['iden'];
$query = $DB->query( "SELECT image, author,
idauth FROM mkp_reviews WHERE id = $iden");
File: /modules/news/index.php
1. function delete_news()
$idnews = $mkportals->input['idnews'];
$DB->query("DELETE FROM mkp_news WHERE id = $idnews");
2. function del_comment()
$idcomm= $mkportals->input['idcomm'];
$DB->query("DELETE FROM mkp_news_comments
WHERE id = $idcomm");
File: /modules/gallery/index.php
1. function delete_comments()
$idcomm= $mkportals->input['idcomm'];
$DB->query("DELETE FROM mkp_gallery_comments
WHERE id = $idcomm");
2. function edit_file()
$iden = $mkportals->input['iden'];
$query = $DB->query( "SELECT evento, titolo, descrizione,
autore, idauth FROM mkp_gallery WHERE id = $iden");
3. function update_file()
$iden= $mkportals->input['iden'];
$query = $DB->query("SELECT idauth FROM mkp_gallery
WHERE id = $iden");
4. function del_file()
$iden= $mkportals->input['iden'];
$query = $DB->query( "SELECT file, autore, idauth
FROM mkp_gallery WHERE id = $iden");
5. function slide_update() {
$ide= $mkportals->input['ide'];
$cat = $mkportals->input['cat'];
$query = $DB->query( "SELECT id, titolo, file FROM mkp_gallery WHERE id > $ide
AND evento = $cat AND validate = '1' ORDER BY 'id' LIMIT 1");
File: /modules/downloads/index.php
1. function update_file()
$iden= $mkportals->input['iden'];
$query = $DB->query( "SELECT file, data, idauth, peso
FROM mkp_download WHERE id = $iden");
2. function del_file()
$iden= $mkportals->input['iden'];
$query = $DB->query( "SELECT file, autore, idauth
FROM mkp_download WHERE id = $iden");
.......
Just look for del_, edit_ or update functions and you will find more.
greetings to jmp-esp
jmp-esp.kicks-ass.net
IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl) #main
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists