onArcade v2.2 Blind SQL Vulnerability

/**
 * @exploit             onArcade v2.2 Blind SQL Vulnerability
 * @version             2.2 tested & Also All versions infacted
 * @author              Cold Zero <- [Cold z3ro] => www.hackteach.org
 * @copyright           27/10/2012
 * @script              http://up.support-ar.com/upload/files/onArcade%20v2.2.zip
 * @vendor              http://www.onarcade.com/
 */


1. [SQl] 

In forums.php the GET value of r ($_GET['r']) its only secured to be as a number,
with function is_numeric($_GET['r']) check it http://php.net/manual/en/function.is-numeric.php
then as we can use none exist number like 99999999999999 then exploit it


error lines =>


case 'new_reply':
	// get topic or post information
	if (isset($_GET['t']) && is_numeric($_GET['t']))
		$topic_sql = "
		SELECT
			t.topic_id, t.title AS topic_title, t.replies, t.locked,
			f.forum_id, f.title AS forum_title, f.reply_permission
		FROM
			". $tbl_prefix ."forums_topics AS t
			LEFT JOIN ". $tbl_prefix ."forums AS f ON (f.forum_id = t.forum_id)
		WHERE
			t.topic_id = ". (int) $_GET['t'] ."
		LIMIT 1";
	elseif (isset($_GET['r']) && is_numeric($_GET['r']))
		$topic_sql = "
		SELECT
			r.title AS reply_title, r.message,
			t.topic_id, t.title AS topic_title, t.replies, t.locked,
			f.forum_id, f.title AS forum_title, f.reply_permission
		FROM
			". $tbl_prefix ."forums_replies AS r
			LEFT JOIN ". $tbl_prefix ."forums_topics AS t ON (r.topic_id = t.topic_id)
			LEFT JOIN ". $tbl_prefix ."forums AS f ON (f.forum_id = t.forum_id)
		WHERE
			r.reply_id = ". (int) $_GET['r'] ."
		LIMIT 1";
	else
		no_page();

[EOF]



Exploit:

/forums.php?a=new_reply&r=[ Blind SQL ]

#  0day.today [2018-01-09]  #