Datenator 0.3.0 - 'event.php?id' SQL Injection

EDB-ID:

10716

CVE:

N/A




Platform:

PHP

Date:

2009-12-26


# Exploit Title: Datenator 0.3.0 (event.php id) SQL Injection
# Date: 26.12.09
# Author: The_HuliGun

# Look on code in event.php: 
 
22: if(isset($_GET['id'])) 
23: {
24: 	$event = $datenator->read_event_info($_GET['id']);

# Function read_event_info() is in file includes/functions.php 

412: function read_event_info($event_id)
413:	{
414:		$sql = "SELECT * FROM 
415:		".$this->getConfig('db_tableprefix')."events,
416:		".$this->getConfig('db_tableprefix')."events_repeat 
417:		WHERE 
418:		".$this->getConfig('db_tableprefix')."events.event_id = ".$this->prepare_sql($event_id)." and  
419:		".$this->getConfig('db_tableprefix')."events_repeat.repeat_event_id = ".$this->prepare_sql($event_id)."";
420:
421:		$event_data=$this->db->Execute($sql);
422:
423:		if($event_data) {
424:			return $event_data;
                        ... 

# As you can see variable id is not filtered, so, we can use such exploit with any php settings:

http://[targethost]/[path]/event.php?id=[SQL]

# Bug discovered by The_HuliGun

# Greetz to: NaTka, hope you'll find yourself ;>

# See u soon!