e107 Advanced Medal System Plugin – SQL Injection

• Exploit Database
• 9 阅读

• 作者： Life Wasted
  日期： 2013-06-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/26449/

• # Exploit Title: Advanced Medal System SQL Injection
  # Google Dork: inurl:advmedsys_view.php
  # Date: 6/18/13
  # Exploit Author: Life Wasted and Caspa
  # Vendor Homepage: http://e107.org/e107_plugins/psilo/list.php?mode=plugin&id=699
  # Software Link: http://e107.org/e107_plugins/psilo/psilo.php?download.699
  # Version: 1.42
  # Tested On: Linux
  
  Vulnerable Code (advmedsys_view.php):
  // Lines 17-23
  if (e_QUERY) {
  $tmp = explode('.', e_QUERY);
  $action = $tmp[0];
  $sub_action = $tmp[1];
  $id = $tmp[2];
  unset($tmp);
  }
  // Line 232
  $sql->db_Select("advmedsys_awarded", "*", "WHERE awarded_user_id = $sub_action","");
  
  Example URL: http://site.com/plugins/advmedsys_view.php?profile.*SQL HERE*